User Management v10.6

Mac OS X Server
User Management
Version 10.6 Snow Leopard
Apple Inc. %
2009 Apple Inc. All rights reserved.
The owner or authorized user of a valid copy of
Mac OS X Server software may reproduce this
publication for the purpose of learning to use such
software. No part of this publication may be reproduced
or transmitted for commercial purposes, such as selling
copies of this publication or for providing paid-for
support services.
lvery e1ort has been made to ensure that the
information in this manual is accurate. Apple Inc. is not
responsible for printing or clerical errors.
Apple
1 ln6nite loop
Cupertino, CA 95014-2084
408-996-1010
www.apple.com
Use of the keyboard Apple logo (Option-Shift-K) for
commercial purposes without the prior written consent
of Apple may constitute trademark infringement and
unfair competition in violation of federal and state laws.
Apple, the Apple logo, AirPort, AppleShare, Bonjour,
FireWire, iCal, iTunes, Mac, Mac OS, MacBook, Macintosh,
QuickTime, SuperDrive, Xgrid, Xsan, and Xserve are
trademarks of Apple Inc., registered in the U.S. and other
countries. Apple Remote Desktop, Extensions Manager,
Finder, iWork, and Safari are trademarks of Apple Inc.
Mac is a service mark of Apple Inc.
Adobe and PostScript are trademarks of Adobe Systems
Incorporated.
The Bluetooth word mark and logos are registered
trademarks owned by the Bluetooth SIG, Inc. and any
use of such marks by Apple is under license.
Java and all Java-based trademarks and logos
are trademarks or registered trademarks of Sun
Microsystems, Inc. in the U.S. and other countries.
UNIX is a registered trademark of The Open Group.
Other company and product names mentioned herein
are trademarks of their respective companies. Mention
of third-party products is for informational purposes
only and constitutes neither an endorsement nor a
recommendation. Apple assumes no responsibility with
regard to the performance of these products.
019-1415/2009-08-01
13 Preface: About This Guide
13 Whats New in Workgroup Manager
14 Whats in This Guide
15 Using Onscreen Help
16 Documentation Map
17 Viewing PDF Guides Onscreen
17 Printing PDF Guides
18 Getting Documentation Updates
18 Getting Additional Information
19 Chapter 1: User Management Overview
19 Tools for User Management
19 Workgroup Manager
20 Server Admin
21 Server Preferences
21 Command-Line Tools
21 Accounts
22 Administrator Accounts
23 User Accounts
24 Group Accounts
25 Computer Accounts
25 Computer Groups
25 The User Experience
25 Authentication and Identity Validation
27 Information Access Control
28 SIDs and Windows Interoperability
29 Chapter 2: Getting Started with User Management
29 Setup Overview
32 Planning Strategies for User Management
32 Analyzing Your Environment
33 Identifying Directory Services Requirements
33 Determining Server and Storage Requirements
3
Contents
4 Contents
35 Choosing a Home Folder Structure
36 Devising a Home Folder Distribution Strategy
36 Identifying Groups
37 Determining Administrator Requirements
38 Chapter 3: Getting Started with Workgroup Manager
38 Con6guring the Administrator's Computer and Account
38 Setting Up an Administrator Computer
39 Creating a Directory Administrator Account
40 Using Workgroup Manager
40 Using Mac OS X Server v10.6 to Administer Earlier Versions of Mac OS X
40 Connecting and Authenticating to Directory Domains in Workgroup Manager
41 Major Workgroup Manager Tasks
42 Modifying Workgroup Manager Preferences
43 Finding and Listing Accounts
43 Working with Account Lists in Workgroup Manager
44 Listing Accounts in the Local Directory Domain
44 Listing Accounts in Search Policy Directory Domains
45 Listing Accounts in Available Directory Domains
46 Refreshing Account Lists
46 linding Speci6c Accounts in a list
47 Using Advanced Search
47 Sorting Users and Groups
48 Shortcuts for Working with Accounts
48 Using Presets
48 Editing Multiple Accounts Simultaneously
50 Importing and Exporting Account Information
51 Chapter 4: Setting Up User Accounts
51 About User Accounts
51 Where User Accounts Are Stored
52 Prede6ned User Accounts
53 Administering User Accounts
53 Creating User Accounts
57 Creating Augmented User Records
58 Editing User Account Information
59 Editing User Account Information from the Command Line
59 Working with Read-Only User Accounts
60 Working with Guest Users
60 Working with Windows User Accounts
61 Deleting a User Account
62 Disabling a User Account
63 Working with Presets
Contents 5
63 Creating a Preset for User Accounts
64 Using Presets to Create Accounts
64 Renaming Presets
64 Editing Presets
65 Deleting a Preset
65 Working with Basic Settings
65 Modifying User Names
66 Modifying Short Names
67 Choosing Stable Short Names
68 Avoiding Duplicate Names
69 Modifying User IDs
70 Assigning a Password to a User
71 Assigning Administrator Privileges for a Server
72 Choosing a Users Login Picture
73 Working with Privileges
73 Removing Administrative Privileges from a User
74 Giving a User Limited Administrative Capabilities
75 Giving a User Full Administrative Capabilities
76 Working with Advanced Settings
76 Enabling a Users Calendar
77 Allowing a User to Log In to More Than One Computer at a Time
77 Choosing a Default Shell
78 Choosing a Password Type and Setting Password Options
79 Creating a Master List of Keywords
80 Applying Keywords to User Accounts
80 Editing Comments
81 Working with Group Settings
81 Choosing a Users Primary Group
82 Reviewing a Users Group Memberships
82 Adding a User to a Group
83 Removing a User from a Group
84 Working with Home Settings
84 Working with Mail Settings
84 Enabling Mail Service Account Options
85 Disabling a Users Mail Service
85 Forwarding a Users Mail
86 Working with Print Quota Settings
86 Enabling a Users Access to All Available Print Queues
86 lnabling a User's Access to Speci6c Print Queues
87 Removing a Print Quota for a Queue
88 Resetting a Users Print Quota
88 Disabling a Users Access to Print Queues That Enforce Quotas
89 Working with Info Settings
6 Contents
89 Working with Windows Settings
90 Changing a windows User's Pro6le location
91 Changing a Windows Users Login Script Location
91 Changing a Windows Users Home Folder Drive Letter
92 Changing a Windows Users Home Folder Location
92 Working with GUIDs
92 Viewing GUIDs
93 Chapter 5: Setting Up Group Accounts
93 About Group Accounts
93 How Group Accounts Track Membership
94 Where Group Accounts Are Stored
94 Prede6ned Croup Accounts
96 Administering Group Accounts
96 Creating Group Accounts
98 Creating a Preset for Group Accounts
98 Editing Group Account Information
99 Creating Hierarchical Groups
102 Upgrading Legacy Groups
102 Working with Read-Only Groups
103 Deleting a Group
103 Working with Basic Settings for Groups
103 Naming a Group
104 0e6ning a Croup lD
105 Choosing a Groups Login Picture
106 Enabling a Groups Web Services When Connecting to Mac OS X Server v10.5
107 Working with Member Settings for Groups
107 Adding Users or Groups to a Group
109 Removing Group Members
111 Working with Group Folder Settings
111 Specifying No Group Folder
112 Creating a Group Folder
114 Designating a Group Folder for Use by Multiple Groups
115 Chapter 6: Setting Up Computers and Computer Groups
115 About Computer Accounts
116 Creating Computer Accounts
117 Working with Guest Computers
118 Working with Windows Computers
118 About Computer Groups
118 0i1erences between Computer Croups and Computer lists
119 Administering Computer Groups
119 Creating a Computer Group
Contents 7
120 Creating a Preset for Computer Groups
121 Using a Computer Group Preset
121 Adding Computers or Computer Groups to a Computer Group
122 Removing Computers and Computer Groups from a Computer Group
122 Deleting a Computer Group
123 Upgrading Computer Lists to Computer Groups
124 Chapter 7: Setting Up Home Folders
124 About Home Folders
125 Hosting Home Folders for Mac OS X Clients
125 Hosting Home Folders for Other Clients
126 Distributing Home Folders Across Multiple Servers
127 Administering Share Points
127 Setting Up a Share Point
128 Setting Up an Automountable AFP Share Point for Home Folders
129 Setting Up an Automountable NFS Share Point for Home Folders
130 Setting Up an SMB Share Point
132 Administering Home Folders
132 Specifying No Home Folder
133 Creating a Home Folder for a Local User
134 Creating a Network Home Folder
136 Creating a Custom Location for Home Folders
138 Setting Up a Home Folder for a Windows User
140 Setting Disk Quotas
141 Setting Disk Quotas for Windows Users to Avoid Data Loss
142 Using Presets to Choose Default Home Folders
142 Moving Home Folders
142 Deleting Home Folders
143 Chapter 8: Managing Portable Computers
143 About Mobile Accounts
144 About Portable Home Directories
145 Logging In to Mobile Accounts
146 Resolving Sync Conicts
146 About External Accounts
147 Logging In to External Accounts
148 Considerations and Strategies for Deploying Mobile Accounts
148 Advantages of Using Mobile Accounts
149 Considerations for Using Mobile Accounts
151 Strategies for Syncing Content
152 Setting Up Mobile Accounts for Use on Portable Computers
152 Con6guring Portable Computers
153 Managing Mobile Clients Without Using Mobile Accounts
8 Contents
153 Unknown Mac OS X Portable Computers
154 Using Mac OS X Portable Computers with One Primary Local User
154 Using Mac OS X Portable Computers with Multiple Users
156 Securing Mobile Clients
157 Optimizing the File Server for Mobile Accounts
158 Chapter 9: Client Management Overview
159 Using Network-Visible Resources
160 Customizing the User Experience
160 The Power of Preferences
161 Designing the Login Experience
163 Choosing a Workgroup
164 Working with Synced Homes
164 lmproving workow
166 Chapter 10: Managing Preferences
166 Using Workgroup Manager to Manage Preferences
168 Understanding Managed Preference Interactions
170 Understanding Hierarchical Preference Management
171 Setting the Permanence of Management
172 Caching Preferences
172 Preference Management Basics
173 Managing User Preferences
173 Managing Group Preferences
174 Managing Computer Preferences
175 Managing Computer Group Preferences
175 0isabling Vanagement for Speci6c Preferences
176 Managing Access to Applications
177 Controlling User Access to Speci6c Applications and lolders
179 Allowing Speci6c 0ashboard widgets
179 Disabling Front Row
180 Allowing legacy Users to Open Speci6c Applications and lolders
181 Managing Classic Preferences
182 Selecting Classic Startup Options
182 Choosing a Classic System Folder
183 Allowing Special Actions During Restart
184 Controlling Access to Classic Apple Menu Items
185 Adjusting Classic Sleep Settings
185 Maintaining Consistent User Preferences for Classic
186 Managing Dock Preferences
186 Controlling the Users Dock
187 Providing Easy Access to Group Folders
188 Adding Items to a Users Dock
Contents 9
189 Preventing Users from Adding or Deleting Dock Items
189 Managing Energy Saver Preferences
190 Using Sleep and Wake Settings for Desktop Computers
191 Setting Energy Saver Settings for Portable Computers
192 Displaying Battery Status to Users
193 Scheduling Automatic Startup, Shutdown, or Sleep
194 Managing Finder Preferences
194 Setting Up Simple Finder
195 Keeping Disks and Servers from Appearing on the Users Desktop
196 Controlling the Behavior of Finder Windows
196 Hiding the Alert Message When a User Empties the Trash
197 Making Filename Extensions Visible
197 Controlling User Access to Remote Servers
197 Controlling User Access to an iDisk
198 Preventing Users from Ejecting Discs
198 Hiding the Burn Disc Command in the Finder
199 Controlling User Access to Folders
199 Removing Restart and Shut Down from the Apple Menu
199 Adjusting the Appearance and Arrangement of Desktop Items
200 Adjusting the Appearance of Finder Window Contents
201 Managing Login Preferences
202 Changing the Appearance of the Login Window
204 Con6guring Viscellaneous login Options
205 Choosing Who Can Log In
206 Customizing the Workgroups Displayed at Login
208 Enabling the Use of Login and Logout Scripts
210 Choosing a Login or Logout Script
211 Automatically Opening Items After a User Logs In
212 Providing Access to a Users Network Home Folder
213 Providing Easy Access to the Group Share Point
213 Managing Media Access Preferences
214 Controlling Access to CDs, DVDs, and Recordable Discs
214 Controlling Access to Hard Drives, Disks, and Disk Images
215 Ejecting Removable Media Automatically When a User Logs Out
215 Managing Mobility Preferences
216 Creating a Mobile Account
218 Preventing the Creation of a Mobile Account
218 Manually Removing Mobile Accounts from Computers
219 Enabling FileVault for Mobile Accounts
221 Selecting the Location of a Mobile Account
222 Creating External Accounts
224 Setting Expiration Periods for Mobile Accounts
224 Choosing Folders to Sync
10 Contents
226 Stopping Files from Syncing for a Mobile Account
226 Setting the Background Sync Frequency
227 Showing Mobile Account Status in the Users Menu Bar
228 Managing Network Preferences
228 Con6guring Proxy Servers by Port
229 Allowing Users to bypass Proxy Servers for Speci6c 0omains
230 Enabling Passive FTP Mode
230 Disabling Internet Sharing
231 Disabling AirPort
231 Disabling Bluetooth
232 Managing Parental Controls Preferences
232 Hiding Profanity in Dictionary
232 Preventing Access to Adult Websites
233 Allowing Access Only to Speci6c websites
235 Setting Time Limits and Curfews on Computer Usage
235 Managing Printing Preferences
236 Making Printers Available to Users
236 Preventing Users from Modifying the Printer List
237 Restricting Access to Printers Connected to a Computer
238 Setting a Default Printer
238 Restricting Access to Printers
238 Adding a Page Footer to All Printouts
239 Managing Software Update Preferences
240 Managing Access to System Preferences
241 Managing Time Machine Preferences
242 Managing Universal Access Preferences
242 Adjusting the Users Display Settings
243 Setting a Visual Alert
244 Adjusting Keyboard Accessibility Options
245 Adjusting Mouse and Pointer Responsiveness
246 Enabling Universal Access Shortcuts
246 Allowing Devices for Users with Special Needs
247 Using the Preference Editor with Preference Manifests
248 Adding to the Preference Editors List
249 Editing Application Preferences with the Preference Editor
251 Removing an Applications Managed Preferences in the Preference Editor
251 Using the Preference Editor to Manage Core Services
253 Using the Preference Editor to Manage Safari
254 Using the Preference Editor to Manage Apple Remote Desktop
255 Managing Preferences from the Command Line
255 Using Managed Client Extensions
259 0etermining l1ective Vanaged Preferences
260 Manually Refreshing Managed Preferences
Contents 11
261 Chapter 11: Solving Problems
261 Diagnosing Common Network Issues
261 Testing Your Networks Time and Time Zones
262 Testing Your DNS Service
263 Testing Your DHCP Service
264 Solving Account Problems
264 If You Want to Use Earlier Versions of Workgroup Manager
264 If You Cant Edit an Account Using Workgroup Manager
264 If Users Cant See Their Names in the Login Window
264 If You Cant Unlock an LDAP Directory
265 If You Cant Modify a Users Open Directory Password
265 If You Cant Change a Users Password Type to Open Directory
265 If You Cant Assign Server Administrator Privileges
265 If Users Cant Log In or Authenticate
266 If Users Relying on a Password Server Cant Log In
267 If Users Cant Log In with Accounts in a Shared Directory Domain
267 If Users Cant Access Their Home Folders
267 If Users Cant Change Their Passwords
267 If Users Cant Authenticate Using Single Sign-On or Kerberos
267 If You Cant Set User Wiki and Blog Settings
268 Solving Problems with a Primary or Backup Domain Controller
268 If a Windows User Cant Log in to the Windows Domain
268 If a Windows User Has No Home Folder
268 lf a windows User's Pro6le Settings Revert to 0efaults
269 If a Windows User Loses the Contents of the My Documents Folder
269 Solving Preference Management Problems
269 Testing Your Managed Client Settings
270 If Users Dont See a List of Workgroups at Login
270 If Users Cant Open Files
270 If Users Cant Add Printers to a Printer List
271 If Login Items Added by a User Dont Open
271 If Items Placed in the Dock by a User Are Missing
272 If a Users Dock Has Duplicate Items
272 If Users See a Question Mark in the Dock
272 If Users See a Message About an Unexpected Error
272 If You Cant Manage Network Views
273 Appendix: Importing and Exporting Account Information
273 Understanding What You Can Import and Export
274 Limitations for Importing and Exporting Passwords
274 Maintaining GUIDs When Importing from Earlier Versions of Mac OS X Server
275 Archiving the Open Directory Master
275 Using Workgroup Manager to Import Accounts
12 Contents
276 Using the Command Line to Import Accounts
278 Creating a Character-Delimited User Import File
281 Using Workgroup Manager to Export Accounts
282 Using the Command Line to Export Users and Groups
283 Using XML Files Created with Mac OS X Server v10.1 or Earlier
284 Using XML Files Created with AppleShare IP 6.3
285 Index
13
This guide explains how to use Workgroup Manager and
the command line to set up and manage accounts and
preferences for clients.
Mac OS X Server includes Workgroup Manager, a user management tool you can use
to create and manage accounts. Mac OS X Server also allows you to use the command
line to create and manage accounts.
when managing accounts, you can de6ne core account settings like name, password,
home folder location, and group membership. You can also manage preferences,
allowing you to customize the users experience, granting or restricting access to his or
her computers settings and to network resources.
Workgroup Manager works closely with a directory domain. Directory domains are like
databases but are speci6cally designed for storing account information and handling
authentication.
Whats New in Workgroup Manager
Improved augmented record support. Augmented user records are imported user
accounts that allow you to enable speci6c settings such as the user's login picture,
or to manage preferences.
lhese settings are speci6c to the augmented record. ou don't need to edit the
accounts stored in the original directory domain. The settings you arent allowed to
edit are synced with the directory domain theyre imported from.
You can use augmented user records to manage preferences for accounts stored
in an Active Directory domain or in an Open Directory domain that you dont
have editing permissions for. For more information, see Creating Augmented User
Records on page 57.
P
r
e
f
a
c
e
About This Guide
14 Preface About This Guide
External accounts support MS-DOS (FAT) format. External accounts are supported
on external drives that use the MS-DOS (FAT) format.
An external account is a mobile account that has its local home folder stored in a
volume on an external drive. The portable home directory is created from the local
home folder stored on that external drive and the users network home folder.
External accounts now support external or ejectable volumes formatted as
Mac OS X Extended format (HFS Plus) or MS-DOS format (FAT). For more information,
see About External Accounts on page 146.
Whats in This Guide
This guide includes the following sections:
Chapter 1, User Management Overview, highlights important concepts, introduces
user management tools, and tells you where to 6nd additional information about
user management and related topics.
Chapter 2, Getting Started with User Management, provides planning and setup
information to create a user management environment.
Chapter 3, Getting Started with Workgroup Manager, describes how to set up
Workgroup Manager and use its core features.
Chapters 4, 5, and 6 explain how to use Workgroup Manager to set up users, groups,
computers, and computer groups.
Chapter 7, Setting Up Home Folders, covers creating home folders.
Chapter 8, Managing Portable Computers, details considerations for managing
portable computers.
Chapter 9, Client Management Overview, introduces client management tools and
concepts, such as how to customize a users work environment and provide user
access to network resources.
Chapter 10, Managing Preferences, describes how to use Workgroup Manager to
control preference settings for users, groups, computers, and computer groups that
use Mac OS X.
Chapter 11, Solving Problems, helps you address issues involving account creation,
home folder maintenance, preference management, and client setup, and also helps
you solve problems encountered by managed clients.
The appendix, Importing and Exporting Account Information, provides information
you need to transfer account information to or from an external 6le.
Note: Because Apple periodically releases new versions and updates to its software,
images shown in this book may be di1erent from what you see on your screen.
Preface About This Guide 15
Using Onscreen Help
You can get task instructions onscreen in the Help Viewer application while youre
managing Mac OS X Server v10.6. You can view help on a server or an administrator
computer. (An administrator computer is a Mac OS X computer with Mac OS X Server
administration v10.6 software installed on it.)
To get the most recent onscreen help for Mac OS X Server v10.6:
Open Workgroup Manager and then: B
Use the Help menu to search for a task you want to perform.
Choose Help > Workgroup Manager Help to browse and search the help topics.
To see the most recent server help topics:
Make sure the server or administrator computer is connected to the Internet while B
youre getting help.
Help Viewer automatically retrieves and caches the most recent server help topics
from the Internet. When not connected to the Internet, Help Viewer displays cached
help topics.
Documentation Map
Mac OS X Server v10.6 has a suite of guides which can cover management of
individual services. Each service may be dependent on other services for maximum
utility. The documentation map below shows some related documentation that you
may need to fully con6gure your desired service to your speci6cations. ou can get
some of these guides in PDF format from the Mac OS X Server documentation website:
www.apple.com/server/resources/
Getting Started
Describes using Server
Preferences to set up
accounts and con6gure
services. Includes basic
conceptual information.
Server
Preferences Help
Provides onscreen
instructions and answers
when youre using
Server Preferences.
User Management
Describes using Workgroup
Manager to set up accounts,
home folders, and managed
preferences. Includes
advanced conceptual
information.
Workgroup
Manager Help
Provides onscreen
when youre using
Workgroup Manager.
Server Admin Help
Provides onscreen
when youre using
Server Admin.
Server
Administration Guides
Each guide covers using
Server Admin and
command-line tools to
con6gure advanced settings
for a particular service.
Preface About This Guide 17
Viewing PDF Guides Onscreen
While reading the PDF version of a guide onscreen:
Show bookmarks to see the guides outline, and click a bookmark to jump to the
corresponding section.
Search for a word or phrase to see a list of places where it appears in the document.
Click a listed place to see the page where it occurs.
Click a cross-reference to jump to the referenced section. Click a web link to visit the
website in your browser.
Printing PDF Guides
If you want to print a guide, you can take these steps to save paper and ink:
Save ink or toner by not printing the cover page.
Save color ink on a color printer by looking in the panes of the Print dialog for an
option to print in grays or black and white.
Reduce the bulk of the printed document and save paper by printing more than
one page per sheet of paper. In the Print dialog, change Scale to 115% (155%
for Getting Started). Then choose Layout from the untitled pop-up menu. If your
printer supports two-sided (duplex) printing, select one of the Two-Sided options.
Otherwise, choose 2 from the Pages per Sheet pop-up menu, and optionally choose
Single Hairline from the Border menu. (If youre using Mac OS X v10.4 or earlier, the
Scale setting is in the Page Setup dialog and the Layout settings are in the Print
dialog.)
You may want to enlarge the printed pages even if you dont print double sided,
because the PDF page size is smaller than standard printer paper. In the Print dialog
or Page Setup dialog, try changing Scale to 115% (155% for Getting Started, which has
CD-size pages).
Getting Documentation Updates
Periodically, Apple posts revised help pages and new editions of guides. Some revised
help pages update the latest editions of the guides.
To view new onscreen help topics for a server application, make sure your server or
administrator computer is connected to the Internet and click Latest help topics or
Staying current in the main help page for the application.
To download the latest guides in PDF format, go to the Mac OS X Server
documentation website:
www.apple.com/server/resources/
An RSS feed listing the latest updates to Mac OS X Server documentation and
onscreen help is available. To view the feed use an RSS reader application, such as
Safari or Mail:
feed://helposx.apple.com/rss/snowleopard/serverdocupdates.xml
Getting Additional Information
For more information, consult these resources:
Read Me documentsget important updates and special information. Look for them
on the server discs.
Mac OS X Server website (www.apple.com/server/macosx/)enter the gateway to
extensive product and technology information.
Mac OS X Server Support website (www.apple.com/support/macosxserver/)access
hundreds of articles from Apples support organization.
Apple Discussions website (discussions.apple.com/)share questions, knowledge,
and advice with other administrators.
Apple Mailing Lists website (www.lists.apple.com/)subscribe to mailing lists so you
can communicate with other administrators using email.
^|e !to|o|oq ooJ cett|hcot|oo webs|te (www.apple.com/training/)hone
your server administration skills with instructor-led or self-paced training,
and di1erentiate yourself with certi6cation.
19
Use this chapter to learn user management concepts and the
applications used to manage accounts and privileges.
User management encompasses everything from setting up accounts for network
access and creating home folders to 6ne-tuning the user experience by managing
preferences and settings for users, groups, computers, and computer groups. Mac OS X
Server provides tools for accomplishing these tasks and more.
Tools for User Management
User management tools and technologies in Mac OS X Server include Workgroup
Manager, Server Admin, Server Preferences, and command-line tools.
Workgroup Manager
Workgroup Manager is a powerful tool that delivers features for comprehensive
management of Macintosh clients.
You can use Workgroup Manager on a computer with Mac OS X or Mac OS X Server
installed. Workgroup Manager included with Mac OS X Server v10.6 can manage client
computers running Mac OS X v10.4 or later.
Workgroup Manager provides a centralized method of managing Mac OS X computers,
controlling access to software and removable media, and providing a consistent,
personalized experience for users at di1erent levels, whether they're beginners in a
classroom or advanced users in an o1ce or a campus.
You use Workgroup Manager to create user accounts and set up groups to provide
convenient access to resources. You can:
Use account settings and managed preferences to achieve the level of
administrative control you need, while making the user experience more e1cient
Manage Finder, login, media access, and print settings
Control access to computers and restrict the applications allowed to run on them
1
User Management Overview
Using Workgroup Manager with Mac OS X Server services, you can:
Customize the work environments of network users by organizing their desktop
resources and personal 6les
lnable services that require user accounts, such as mail, 6le sharing, and iChat
service
Share system resources, such as printers and computers, maximizing their availability
and ensuring that disk space and printer usage are equitably shared
To get started with Workgroup Manager, see Chapter 3, Getting Started with
Workgroup Manager.
Server Admin
The Server Admin application provides access to various tools and services that play a
role in server management.
After installing the Mac OS X Server software, use Server Admin to set up directory
services and establish your network. Then use Workgroup Manager to create and
manage accounts. After that, use Server Admin to set up additional services to provide
mail service, host websites, share printers, and create share points (which allow users
to share folders and 6les).
For information about how to use the many services managed through Server
Admin, see the service administration guides. The following table lists common server
administration tasks and includes the location of related documentation.
To See this document
Assign permissions to folders and 6les in a share
point
File Server Administration
Share printers among users Print Server Administration
Set up websites or WebDAV support on the
server
Web Technologies Administration
Provide email service for users Mail Service Administration
Broadcast multimedia from the server in real time QuickTime Streaming Server Administration
Provide identical operating system and
applications folders for client computers
System Image and Software Update Administration
Install applications across a network System Image and Software Update Administration
Share information among multiple Mac OS X
Server systems or Mac OS X computers
Open Directory Administration
20 Chapter 1 User Management Overview
Chapter 1 User Management Overview 21
Server Preferences
ou can use Server Preferences to con6gure key features of collaboration and 6le
services. Its streamlined approach allows novice system administrators to quickly
con6gure a server without requiring much technical knowledge.
ou can also use Server Preferences to con6gure user and group accounts (such as
setting passwords, enabling services, and assigning group membership), but not
computer or computer group accounts. However, you cant use Server Preferences to
manage user preferences.
For more information, see Getting Started and Server Preferences Help.
Command-Line Tools
Mac OS X Server v10.6 includes several client-management command-line tools.
For example, the dscl tool allows you to view and edit account settings and manage
preferences, while the mcxquery tool reports the managed preferences that are
e1ective for a particular user.
Use the mcxquery tool to review how combined and overridden managed preferences
interact at the user, group, computer, or computer group level. The tool also
determines which directory domain stores those managed preference settings.
This guide describes how to perform many tasks from Workgroup Manager and the
command line.
Accounts
To manage accounts, you use an administrator account. With an administrator account,
you can set up and manage the following account types:
User accounts
Group accounts
Computer accounts
Computer groups
When creating a user account, you must specify a user name and password, which are
needed to prove the user's identity. ou can also specify a user identi6cation number
(user l0 or Ul0), which is used for folder and 6le permissions.
Other user account information is used by various services to determine what the user
is authorized to do and to personalize the users environment.
ln addition to the accounts you create, Vac OS \ Server also has prede6ned user and
group accounts, some of which are reserved for use by Mac OS X.
Administrator Accounts
Users with server administration or directory domain administration privileges are
known as administrators. An administrator can be a server administrator, directory
administrator, or both.
Server administrator privileges determine whether a user can change the settings of a
server.
Directory administrator privileges determine the extent to which an administrator can
change account settings for users, groups, computers, and computer groups in the
directory domain.
Server Administration
Server administration privileges determine the functions available to a user when
logged in to a Mac OS X Server. For example, a server administrator can use Directory
Utility to make changes to a servers search policy.
When you assign server administration privileges to a user, the user is added to the
admin group in the servers local directory domain. Many Mac OS X applications
such as Server Admin, Directory Utility, and System Preferencesuse the admin group
to determine whether a user can perform administrative activities with the application.
Local Mac OS X Computer Administration
Any user who belongs to the admin group in the local directory domain has
administrator privileges on that computer. If you add a group from another directory
domain to the admin group of the local directory domain, members of that group
become administrators on the computer.
Limited Administration
You can control the extent to which a limited administrator can use Workgroup
Manager to change account data stored in a domain.
For example, you can set up directory domain privileges so your network administrator
can add and remove user accounts but allow limited administrators to change the
information for users, or you can designate multiple limited administrators to manage
di1erent groups.
For more information, see Giving a User Limited Administrative Capabilities on
page 74.
Directory Domain Administration
When you create a directory domain in Mac OS X Server, a directory administrator
account is created and added to the admin group in the domain.
If you plan on connecting your directory domain to other directory domains, choose a
unique user name and ID for each directory administrator.
When you assign full directory domain administration privileges to a user, the user is
added to the admin group in the directory domain. This does not grant the user local
admin privileges on the servers hosting this directory domain or on any other servers
or clients bound to this directory domain.
Each directory domain has a directory administrator account, and a directory
administrator can create additional directory administrators in the same domain. Any
user with a user account in a directory domain can be made a directory administrator
(an administrator of that domain).
For more information, see Giving a User Full Administrative Capabilities on page 75.
User Accounts
Depending on how you set up server and user accounts, you can use Mac OS X Server
to support users who log in using Mac OS X computers, Windows computers, or UNIX
computers.
Most users have an individual account used to authenticate them and control their
access to services. when you want to personalize a user's environment, you de6ne user,
group, computer, or computer group preferences for that user.
The term managed client or managed user refers to a user who has administrator-
controlled preferences associated with his or her account. Managed client is also used
to refer to computers or computer groups that have preferences de6ned for them.
To learn more about how to set up user accounts, see Chapter 4, Setting Up User
Accounts. To specify the preferences for user accounts, see Chapter 10, Managing
Preferences.
Guest Account
You can provide services for users who cant be authenticated because they dont have
a valid user name or password. These users are known as guest users. If your computers
run Vac OS \ v10.5 or later, you can enable a guest account, which is speci6cally
designed for guest users.
The guest account allows anonymous access to a computer. The guest account has
a local home folder that has its contents erased when the user logs in or out of the
guest account.
The guest account is best used for common-access computers, such as those in a
library or open lab where you might not need to log user access and where the user
maintains his or her 6les separate from the local computer.
For some services, like Apple Filing Protocol (AFP), you can let guest users access
6les. lnstead of authenticating with a name and a password, a guest user connects
as a guest, not as a registered user. Cuests are restricted to 6les and folders with
permissions set to Everyone.
Group Accounts
To ease user administration, you can create group accounts. A group is a collection of
users or other groups who have similar needs. For example, you can add all English
teachers to one group and allow that group to access speci6c 6les or folders on a
volume.
Groups simplify the administration of shared resources. Instead of granting access to
various resources for each user who needs access, you can add users to a group and
then grant access to everyone in the group.
Use group account settings to control user access to folders and 6les. lor more
information, see Folder and File Access by Other Users on page 28.
A group can be a member of another group. A group that contains another group
is called a parent group. The group contained in the parent group is called a child
hierarchical group or just hierarchical group. Hierarchical groups are useful for inheriting
access permissions and managed preferences.
To learn more about how to set up group accounts, see Chapter 5, Setting Up Group
Accounts. To specify preferences for group accounts, see Chapter 10, Managing
Preferences.
Workgroups
when you de6ne preferences for a group, it becomes a workgroup. A workgroup lets
you manage the work environment of group members.
Workgroup preferences are stored in the group account. For a description of
workgroup preferences, see Chapter 10, Managing Preferences.
Group Folders
when you de6ne a group, you can also specify a folder for storing 6les that you want
group members to share. The location of the folder is stored in the group account.
You can give users permission to write to a group folder or to change group folder
attributes in the Finder.
Computer Accounts
Computer accounts allow you to identify and manage individual computers.
To create a computer account, you need the computers Ethernet ID. When creating
the account, you can also associate it with an IP address. After creating the account,
you can manage its preferences or add it to a computer group.
For more information about setting up computer accounts, see Chapter 6, Setting
Up Computers and Computer Groups. To specify preferences for Mac OS X computer
accounts, see Chapter 10, Managing Preferences.
Guest Computers
Most computers on your network should have a computer account. If an unknown
computer (one that doesnt have a computer account) connects to your network and
attempts to access services, that computer is treated as a guest. Settings chosen for the
Guest Computer account apply to unknown guest computers.
Computer Groups
A computer group is composed of computer accounts or computer groups. By
combining these into a single computer group, you can apply the same managed
preferences to all its members.
To learn more about how to set up computer groups for Mac OS X client computers,
see Chapter 6, Setting Up Computers and Computer Groups. To specify preferences
for Mac OS X computer groups, see Chapter 10, Managing Preferences.
The User Experience
After you create an account for a user, the user can access server resources according
to the permissions you set.
The user experience depends on the type of user, permissions set, type of client
computer in use (such as Windows or UNIX), whether the user is a member of a group,
and whether preference management is implemented at the user, group, or computer
level.
For more information about the Mac OS X user experience, see Chapter 9, Client
Management Overview. Basic information about authentication, identity validation,
and information-access control is given in the following sections.
Authentication and Identity Validation
Before a user can log in or connect to a Mac OS X computer, he or she must enter a
name and password associated with a user account accessible by the computer.
A Mac OS X computer can access user accounts that are stored in a directory domain.
To access accounts stored in the directory domain, the directory domain must be
listed in the search policy of your computer.
A directory domain stores information about users and resources. The domain
maintains a database the computer accesses to retrieve con6guration information.
A search policy is a list of directory domains that the computer searches when it needs
con6guration information, starting with the local directory domain on the user's
computer.
The following illustration shows a user logging in to an account in a directory domain
in the computers search policy.
Log in to
Mac OS X
Directory domains
in search policy
After login, the user can connect to a remote server to access its services (if the users
account is located in the servers search policy).
Connect to
Mac OS X Server
Directory domains
in search policy
lf Vac OS \ 6nds a user account containing the name entered by the user, it attempts
to validate the password associated with the account. If the password is validated, the
user is authenticated and the login or connection process is completed.
Mac OS X Server validates passwords using Kerberos, Open Directory Password Server,
shadow passwords, and crypt passwords.
For more information about types of directory domains and instructions for
con6guring search policies, see Open Directory Administration. It also discusses
authentication methods and provides instructions for setting up user authentication
options.
Information Access Control
To control access to information, a universal ID called a q|obo||y uo|ue |Jeot|het (GUID)
provides user and group identity for access control list (ACL) permissions.
An ACL is a list of access control entries (ACEs), each specifying the permissions to
be granted or denied to a group or user, and how these permissions are propagated
throughout a folder hierarchy. The GUID also associates a user with group and
hierarchical group memberships.
Prior to Mac OS X v10.4, Mac OS X used user ID and POSIX permissions to track folder
and 6le permissions. ln Vac OS \, folders or 6les include POSl\ permissions for entities
such as:
Owner
Group
Everyone else
Because GUIDs are 128-bit values, duplicate GUIDs are extremely unlikely. For example,
compare the following example values:
+FGPVKECVKQPV[RG Example value
short name ajohnson
user ID 1005
GUID C7B063D4-0260-44D6-829B-DCD5A99DB3EC
Unlike ACl permissions, POSl\ permissions can cause 6le-ownership and group-
membership issues when multiple users have identical short names or user IDs.
when using CUl0s, users with the same short name or user l0 can have di1erent ACl
permissions.
The introduction of GUIDs does not change or remove POSIX permissions, so it
does not a1ect the interoperability of Vac OS \ with legacy Ull\ systems or other
operating systems.
Folder and File Owner Access
when a folder or 6le is created, the 6le system stores the user l0 of the user who
created the 6le or folder as its owner. by default, when a user with that user l0
accesses the folder or 6le, he or she can read and write to it. Also, any process started
by the user who creates the 6le or folder can read and write to 6les associated with
that same user ID.
lf you change a user l0, the user might not be able to modify or access 6les and folders
he or she created. likewise, if the user logs in as a user whose user l0 is di1erent from
the user l0 he or she used to create the 6les and folders, the user no longer has owner
permissions for those 6les and folders.
Folder and File Access by Other Users
lhe use of CUl0s in con|uction with ACls determines the 6les that users and groups
can access. Also, the user ID, in conjunction with a group ID, is used to control access.
Every user belongs to a primary group. The primary group ID for a user is stored in the
user's account. when a user accesses a folder or 6le and the user isn't the owner, the
6le system checks the 6le's group permissions, and the following occurs.
lf the user's primary group l0 matches the l0 of the group associated with the 6le,
the user inherits group permissions.
lf the user's primary group l0 doesn't match the 6le's group l0, Vac OS \ searches
for the users group accounts for one that has permission. When the group is found,
all members of that group and subsequent hierarchical groups are given the groups
speci6ed permission.
If neither of these cases apply, the users access permissions default to the generic
everyone.
ACLs and POSIX Permissions
lvery 6le and folder has POSl\ permissions. Unless an administrator assigns ACl
permissions, POSl\ permissions continue to de6ne user access. lf you assign ACl
permissions, they take precedence over standard POSIX permissions.
lf a 6le has ACl permissions but none apply to the user, the POSl\ permissions
determine user access. lf a 6le has multiple ACls that apply to a user, the 6rst
applicable ACE takes precedence, and subsequent ACEs are ignored.
For more information about ACL and POSIX permissions, see File Server Administration.
SIDs and Windows Interoperability
Mac OS X computers work seamlessly with Windows computers because Mac OS X
assigns a security identi6er (Sl0) to a process or 6le when it assigns a CUl0 to the
process or 6le. An Sl0 is a windows identi6er that has similar functionality to a CUl0
on a Mac OS X computer.
When Windows users access share points using Server Message Block (SMB), they
transfer SIDs, not GUIDs. When Mac OS X Server receives SIDs, it retrieves the user
accounts with the corresponding GUIDs.
Windows servers use Active Directory as their directory domain. If a user account
is moved to a di1erent Active 0irectory domain, it receives a new Sl0 but not a
new GUID. The user still has access permissions assigned to old SIDs because Active
Directory keeps track of SID history in user accounts.
29
Use this chapter to learn how to plan and set up a user
management environment.
lo create an e1ective user management environment, you must carefully plan
your network. Then, when deploying the network, you must systematically and
methodically set up your network resources.
Setup Overview
This section provides an overview of user management setup tasks, including the
sequence of stages an administrator follows to create a managed environment.
Not all steps are necessary in every case.
For a more comprehensive approach to planning, security, server setup, installation
and deployment, management, and monitoring, see Server Administration.
Step 1: Before you begin, do some planning Analyze your users needs to determine
which directory service con6guration and home folder setup is the most suitable.
For more information, see Planning Strategies for User Management on page 32.
Step 2: Set up the server infrastructure Before deploying client computers, make
sure a computer with Mac OS X Server is set up for hosting accounts and share points.
New servers come with Mac OS X Server software preinstalled.
Set up the server so it hosts or provides access to shared directory domains. Shared
directory domains (also called shared directories) contain user, group, and computer
information you want multiple computers to access. Users whose accounts reside in a
shared directory are referred to as network users.
lhere are di1erent kinds of shared directories. ou can use workgroup Vanager to
add or modify accounts that reside in read/write directory domains such as an Open
Directory domain or the local directory domain.
2
Getting Started with User
Management
Make sure read-only directory domains (such as LDAPv2, read-only LDAPv3, or BSD
at 6les) are con6gured to support Vac OS \ Server and that they provide necessary
account data.
To make the directory compatible, you might need to add, modify, and reorganize
directory information.
Vac OS \ o1ers various options for authenticating users (including windows users)
whose accounts are stored in directory domains on Mac OS X Server. In addition,
Mac OS X accesses accounts in existing directories on your network, such as an Active
Directory hosted on a Windows server.
To make network home folders, group folders, and other shared folders available on
the network so users can access them from di1erent computers, use 6le services.
lf some users use windows computers, you can con6gure the server to provide them
with 6le services, domain login, and home folders.
The following administration guides describe infrastructure setup in detail:
For installation requirements and guidelines, see Getting Started.
For information about installation and setup of server software, see Server
Administration.
For information about directory services and authentication, see Open Directory
Administration.
lor information about how to set up 6le services, see File Server Administration.
Step 3: Set up an administrator computer Because servers are usually kept in
a secure, locked location, administrators typically conduct user management
tasks remotely from a Mac OS X computer. Such a computer is referred to as an
administrator computer.
Before you can use an administrator computer to create and manage accounts in a
shared directory, you must have a user account in the shared directory and you must
be a directory administrator. A directory administrator can use Workgroup Manager
to add and change accounts in an Open Directory domain or another read/write
directory domain.
To set up an administrator computer and create directory administrator accounts,
see Chapter 3, Getting Started with Workgroup Manager.
Step 4: Set up a home folder share point Home folders for accounts stored in shared
directories can reside in a network share point accessible by the users computer.
You can set up network home folders so they can be accessed using AFP or NFS,
or you can set up home folders for exclusive use by Windows users using SMB.
For information about setting up home folders using AFP, NFS, or SMB, see
Chapter 7, Setting Up Home Folders.
30 Chapter 2 Getting Started with User Management
Chapter 2 Getting Started with User Management 31
Step 5: Create user accounts and home folders You can use Workgroup Manager
to create user accounts in directories that reside on Mac OS X Server or in other
read/write directory domains. The following sections contain instructions for creating
accounts and folders:
To create user accounts, see Chapter 4, Setting Up User Accounts.
To create mobile user accounts, see Chapter 8, Managing Portable Computers.
To set up home folders, see Chapter 8, Managing Portable Computers.
Step 6: Set up client computers Mac OS X Server supports users of Mac OS X,
Windows, and UNIX client computers.
lor Vac OS \ computers, con6gure the search policy of the computers so it locates
shared directory domains. For instructions, see Open Directory Administration.
For setup instructions for mobile Mac OS X computers that use AirPort to
communicate with Mac OS X Server, see Designing AirPort Extreme Networks at
www.apple.com/support/manuals/airport/.
You can join Windows workstations to the Mac OS X Server primary domain controller
(P0C), which is similar to the way you con6gure windows workstations to |oin a
Windows NT server domain.
If you have more than a few Macintosh client computers to set up, consider
using NetInstall to create a system image that automates client computer setup.
For instructions, see System Image and Software Update Administration.
To prevent unauthorized access to client computers, secure them from local and
network threats. For information, see /oc O5 \ 5ecut|ty coohqutot|oo.
Ste 7: Dehne user account references You manage the work environment of
Vacintosh users whose accounts reside in a shared domain by de6ning user account
preferences. For information about Mac OS X user preferences, see Chapter 9, Client
Management Overview and Chapter 10, Managing Preferences.
Step 8: Create group accounts and group folders Use Workgroup Manager to create
group accounts in directories that reside on Mac OS X Server and in other read/write
directory domains.
You can create group folders to distribute documents and organize group member
applications. You can also set up ACLs and other access privileges to restrict a groups
access to folders or 6les.
For information about how to work with Mac OS X group accounts and group
folders, see Chapter 5, Setting Up Group Accounts.
For information about how to add a group folder to the dock to make it more
accessible to users, see Chapter 10, Managing Preferences.
For information about setting up ACLs, see File Server Administration.
Ste 9: Dehne grou account references You can manage preferences for a
group account. A group account with managed preferences is called a workgroup.
For information about Mac OS X workgroups, see Chapter 9, Client Management
Overview and Chapter 10, Managing Preferences.
Ste 10: Dehne comuter accounts, comuter grous, and references Use
computer accounts or computer groups to manage Macintosh client computers.
For information about creating Mac OS X computer accounts or computer groups,
see Chapter 6, Setting Up Computers and Computer Groups.
For information about computer group preferences, see Chapter 9, Client
Management Overview and Chapter 10, Managing Preferences.
Step 11: Perform ongoing account maintenance As users come and go and the
requirements for your servers change, you must update account information:
For information about how to use Workgroup Manager to display accounts,
see Chapter 3, Getting Started with Workgroup Manager.
For information about how to perform common tasks such as creating accounts,
disabling accounts, adding and removing users from groups, and deleting accounts,
see Chapter 4, Setting Up User Accounts through Chapter 6, Setting Up Computers
and Computer Groups.
For solutions to common problems, see Chapter 11, Solving Problems.
Planning Strategies for User Management
The following are planning activities to undertake before you implement user
management.
Analyzing Your Environment
our environment de6nes your user management settings, including.
Size and distribution of your network
Number of users who access your network
Type of computers used (Mac OS X or Windows)
How client computers are used
Which computers are mobile
low to de6ne security and password policies
Which users should have administrator privileges
which users should have access to speci6c computers
What services and resources users need (such as mail or access to data storage)
How to divide users into groups (for example, by class topic or job function)
How to group computers (such as all computers in a public lab)
Identifying Directory Services Requirements
Identify the directories where youll store user and group accounts, computers,
and computer groups:
Set up an Open Directory master and replicas to host a Lightweight Directory
Access Protocol (LDAP) directory for storing other user accounts, group accounts,
computers, and computer groups on your network. For information about password
handling options, see Open Directory Administration.
If you have an earlier version of an Apple server, you might be able to migrate
existing records. For available options, see Updating and Migrating.
If you have an LDAP or Active Directory server set up, you might be able to use
existing account records. For details about accessing existing directories, see Open
Directory Administration.
For information about working with Open Directory groups and computer groups,
see Chapter 5, Setting Up Group Accounts and Chapter 6, Setting Up Computers
and Computer Groups.
Note: lf all domains are not 6nalized when you're ready to start adding user and group
accounts, add the accounts to any directory domain that exists on your server. (The
local directory domain is always available.) You can move users and groups to another
directory domain later by using your servers export and import functions.
Passwords are not retained when exporting and importing account information.
However, they are retained if you archive and restore the directory domain. For more
information, see the appendix, Importing and Exporting Account Information.
Determining Server and Storage Requirements
when planning for server needs, you must 6rst acquire the following information.
lhe number of concurrently connected computers, which a1ects network tra1c and
server response times
lhe number of user accounts, which a1ects the amount of storage space required to
store user 6les
Directory services, including authentication and user management, require one Open
Directory master or replica for every 1000 computers, regardless of the number of total
user accounts.
For example, if you have 400 computers and 2000 users, you need one Open Directory
master for authentication and account management. If you have 1800 computers and
2500 users, you need one Open Directory master and one Open Directory replica.
If you use network home folders, they require one dedicated home folder server for
every 150 concurrent connections. If you use mobile accounts with portable home
directories, you need one dedicated home folder server for every 300 concurrent
connections.
For example, if you have 400 computers and 2000 users on network home folders,
you need three dedicated home folders servers. If those users are deployed with
portable home folders, you need two dedicated home folder servers.
If you have 1800 computers and 2500 users, you should have 12 dedicated home
folder servers for network home folders and 6 dedicated servers for portable home
directories.
Group folders require one server for every 450 concurrent connections. For example,
if you have 400 computers, you need one group folder server. For 1800 computers,
you need four group folder servers.
Storage requirements vary because users have varying storage needs. Some users
might store very few 6les in their home folders, while other users 6ll theirs. A simple
guideline is to start with 1 gigabyte (GB) of storage per user account, but allow for
expansion.
Dont establish disk quotas or other space restrictions unless you have closely
examined your users storage needs. For example, 2000 user accounts might only need
2 terabytes (TB) of storage over the course of several years. However, if you give that
same 2000 users their own computers with 60 GB drives, they could use as much as
120 lb of storage. ln this case, every user 6lls his or her drive and then portable home
directory syncing mirrors 6les from his or her local home folder to the network 6le
server.
The following table summarizes the above requirements:
Requirement Maximum value
Computers connected to each directory server 1000
letwork home folders per 6le server 150
Portable home folders per 6le server 300
Group folder concurrent connections per server 450
Choosing a Home Folder Structure
When deploying computers, one of the most crucial decisions is choosing how and
where to host home folders.
There are three types of home folders: a local home folder, a network home folder, and
a portable home directory. These home folders are typically tied, respectively, to local,
network, and mobile accounts.
When considering your home folder structure, keep the following in mind:
Users with local accounts typically have local home folders.
when users save 6les in local home folders, the 6les are stored locally. lo save the
6les over the network, users must connect to the network and upload the 6les.
Using local home folders provides the least amount of control over a users
managed preferences and is also not inherently tied to a network account.
Users with network accounts typically have network home folders.
when users save 6les in network home folders, the 6les are stored on the server.
When users access home folders, even for common tasks like caching webpages,
the 6les are retrieved from the server.
Using network home folders provides complete control over a users managed
preferences. When users are not connected to the network, they cant access their
accounts or home folders.
Users with mobile accounts have local and network home folders, which combine
to form portable home directories.
when users save 6les, the 6les are stored in a local home folder. lhe portable home
directory is a synced subset of a users local and network home folders. You can
con6gure which folders to sync and how frequently to sync them.
Mobile accounts also cache authentication information and managed preferences.
lf you sync key folders, a user can work on and o1 the network and experience a
seamless work environment.
If you choose not to sync portable home directories, mobile accounts are then very
similar to local accounts, except that mobile accounts have managed preferences.
Users with mobile accounts who access their accounts on computers running
Mac OS X v10.5 or later can use portable home directories with an external drive.
when users connect external drives to a computer (including computers o1 of the
network), they can still access their accounts. These types of mobile accounts are
called external accounts.
An external account stores its local home folder on the external drive and doesnt
create a local home folder on the computer its accessed from.
Except for the location of the local home folder, external accounts are treated
like mobile accounts, with the same kinds of syncing, cached authentication,
and managed preference bene6ts.
Note: If a users mobile account is hosted in an Active Directory domain, the mobile
account does not have a portable home directory. However, it does have a local home
folder and a network home folder, and caches authentication.
Mobile accounts and external accounts are described in detail in Chapter 8, Managing
Portable Computers.
Devising a Home Folder Distribution Strategy
Determine which users need home folders and identify the computers where you
want these home folders to reside. For performance reasons, avoid using network
home folders over network connections slower than 100 megabits per second (Mbit/s).
A users network home folder doesnt need to be stored on the same server as the
directory containing the users account. In fact, distributing directory domains and
home folders across multiple servers can help balance your network load. This scenario
is described in Distributing Home Folders Across Multiple Servers on page 126.
You might want to store home folders for users with last names beginning with A
through F on one computer, G through J on another, and so on. Or, you might want to
store home folders on a Mac OS X Server computer but store user and group accounts
on an LDAP or Active Directory server.
Before creating users, pick a distribution strategy. If your distribution strategy fails
while using it, you can move home folders, but doing so can require changing a large
number of user records.
When determining the access protocol to use for home folders, AFP is most commonly
used in a Mac-based computer environment. If you are hosting home folders on UNIX
servers that do not support AFP, you might want to use NFS. If you are hosting home
folders on Windows servers, you might want to use SMB.
For more information about how to use these protocols for home folders, see About
Home Folders on page 124.
Identifying Groups
Identify users with similar requirements and consider assigning them to groups.
See Chapter 5, Setting Up Group Accounts.
Determining Administrator Requirements
You dont need to give full directory administrator privileges to all users who need
only some administrative control. Instead, you can give them limited administrative
privileges.
Decide which users will have full administrative control over accounts and which users
will perform only a few administrative duties.
The directory administrator has the greatest amount of control over other user
accounts and privileges. The directory administrator can create user accounts,
group accounts, computer accounts, and computer groups, and can assign settings,
privileges, and managed preferences for them. He or she can also create other server
administrator accounts, or give speci6c users (for example, teachers or technical sta1)
administrator privileges in speci6ed directory domains.
limited administrators can perform common administrative tasks for speci6ed users
and groups. They can manage user preferences, edit managed preferences, edit user
information, and edit group membership. Giving users limited administrative privileges
helps them to be more self-su1cient, without putting your organization at risk.
For example, you might want to give student lab assistants the ability to manage user
passwords for a small group of students, while giving teachers the ability to manage
user passwords, edit user information, and edit group information for all of their
classes.
Because users can be given limited administrator privileges, consider which users
require directory administrator privileges. A well-planned hierarchy of administrators
and users with special administrator privileges helps you distribute system
administration tasks and makes workow and network management more e1cient.
when you use Server Assistant to con6gure your server, specify a password for the
owner/administrator. This password also becomes the root password for your server.
Changing the owner/administrator password doesn't a1ect the root password. Only a
few server administrators need to know the root password, because you can usually
use the sudo command to use command-line tools (such as CreateGroupFolder).
Administrators who dont need root access can use Workgroup Manager to create an
administrator user with a password di1erent from the root password.
Use the root password with caution and store it in a secure location. The root user has
full access to the system, including system 6les. lf necessary, you can use workgroup
Manager to change the root password.
38
Use this chapter to set up Workgroup Manager and use its
core features.
Workgroup Manager is the primary application for managing client computers.
You can use Workgroup Manager to create accounts and manage preferences.
%QPIWTKPIVJG#FOKPKUVTCVQTU%QORWVGTCPF#EEQWPV
lo use workgroup Vanager, you must 6rst install the Vac OS \ Server administration
tools. before you can manage client computers, you must con6gure a computer for use
as an administrator computer and create a directory administrator account.
Setting Up an Administrator Computer
When you install Workgroup Manager and other administration tools on a remote
administrator computer, you do not need to physically access the server. Instead, use
this administrator computer to connect to the server and perform administrative tasks
remotely.
The computer should have Mac OS X v10.5 or later, at least 512 MB of RAM, and 1 GB of
unused disk space.
For more about server and storage requirements, see Determining Server and Storage
Requirements on page 33.
To create and modify accounts, you must also have a directory administrator account.
To set up an administrator computer:
1 Insert the Administration Tools disc and then start the installer,
ServerAdministrationSoftware.mpkg, located in the /Installers folder.
Make sure the server administration tools you install are the same version as
the Mac OS X Server software installed on your servers. If you use older server
administration tools with a newer server version, the tools can cause errors and
corrupt data.
3
Getting Started with Workgroup
Manager
Chapter 3 Getting Started with Workgroup Manager 39
You can also download the latest Administration Tools disc image from the Mac OS X
Server Support website (www.apple.com/support/macosxserver/).
2 Follow the onscreen instructions.
3 After installing the administration tools, run Software Update (choose Apple >
Software Update) to ensure you have the latest version of the tools.
4 lf you are managing preferences that use speci6c paths to 6nd 6les (such as 0ock
preferences), make sure the administrator computer has the same 6le system structure
as each managed client computer.
This means that folder names, volumes, the location of applications, and so on should
be the same.
5 Add the directory domain to the directory services of the administrator computer.
In System Preferences, click Accounts, select Login Options, and then click Join.
To add a directory domain to the search policy for both authentication and contacts,
enter your directory domains information, click OK, and authenticate as a local
administrator if requested.
To add a directory domain to the search policy for either authentication or contacts,
click Open Directory Utility. For information on using Directory Utility, view Directory
Utility Help.
Creating a Directory Administrator Account
Before creating and editing accounts in a shared directory, you need a directory
administrator account in the directory. A directory administrator can use Workgroup
Manager to add and change accounts residing in an Open Directory domain, the local
directory domain, or another read/write directory domain.
To create a directory administrator account:
1 On the administrator computer, open Workgroup Manager and authenticate as the
administrator user created during server setup.
2 Access the shared directory by clicking the globe icon and choosing the directory
domain.
If youre not authenticated, click the lock and enter the name and password of a
directory administrator.
3 Click New User, click Basic, and then provide basic information for the administrator.
4 Click Privileges and from the Administration capabilities pop-up menu choose Full.
5 Click Save.
From the Command Line
You can also create a directory administrator account using the dscl command in
Terminal. For more information, see Creating User Accounts on page 53.
Using Workgroup Manager
After installing the Mac OS X Server software and setting up a directory administrator
account, you can access and use Workgroup Manager for user management.
This section provides an introduction to Workgroup Manager.
Using Mac OS X Server v10.6 to Administer Earlier Versions of
Mac OS X
Server Admin for Mac OS X v10.6 can connect to Mac OS X Server v10.5.6 or later.
You can use Workgroup Manager included with Mac OS X v10.6 to manage client
computers running Mac OS X v10.4 or later.
Connecting and Authenticating to Directory Domains in Workgroup
Manager
When you install your server or set up an administrator computer, Workgroup Manager
is installed in /Applications/Server/. Use the Finder to open the application, or click its
icon in the Dock or in the toolbar of the Server Admin application.
You can view a directory domain without authenticating by choosing Server >
View Directories in Workgroup Manager. Initially, you have read-only access to
information displayed in Workgroup Manager. To make changes in a directory, you
must authenticate using a directory administrator account. This approach is most
useful when you're administering di1erent servers and working with di1erent directory
domains.
To connect and authenticate to directory domains:
1 Open Workgroup Manager and from the Workgroup Manager Connect window click
Browse, or enter the IP address or DNS name for a server that connects to directory
domains.
2 Enter the user name and password for a directory administrator and click Connect.
3 To change directory domains while connected to a server, click the globe icon
(see below) to select a domain, then authenticate as a directory administrator by
clicking the lock icon.
Click the globe icon to select
a directory domain
Click the lock to
authenticate
4 lo connect to a di1erent server, choose Server > Connect.
40 Chapter 3 Getting Started with Workgroup Manager
Major Workgroup Manager Tasks
After login, the Accounts pane appears (see below), showing a list of user accounts.
Initially, the user accounts listed are those stored in the last directory domain of the
servers search policy.
Accounts list
Type here to search or
filter the list below
Users button
Click the globe icon to
select a directory domain
Computers
button
Computer
Groups button
Currently
selected domain
Click the lock to
authenticate
Groups button
Here is how to get started with primary Workgroup Manager tasks:
To specify the directory domain that stores accounts you want to work with,
click the globe icon.
lo work with accounts in di1erent directories at the same time or to work with
di1erent views of accounts in a directory, open multiple workgroup Vanager
windows by clicking the New Window icon in the toolbar or by choosing Server >
New Workgroup Manager Window.
To administer accounts in the selected directory, click the Accounts icon in the
toolbar; then click the Users, Groups, Computers, or Computer Groups button on
the left side of the window to list the accounts that exist in the directories you are
working with.
lo 6lter the displayed account list, use the pop-up search menu above the
accounts list.
To work with managed preferences, select an account (or several accounts) and then
click the Preferences icon in the toolbar.
To import or export user and group accounts, choose Server > Import or select the
accounts and choose Server > Export.
To view onscreen help, use the Help menu. The Help menu gives you access to
help for administration tasks available through Workgroup Manager and other
Mac OS X Server topics.
To open Server Admin so you can monitor and work with services on a server,
click the Server Admin icon in the Workgroup Manager toolbar.
For information about Server Admin, see Server Administration.
Modifying Workgroup Manager Preferences
You can change Workgroup Manager preferences to customize how records are
displayed and to enable the Inspector, which is an advanced directory domain editor.
Workgroup Manager includes the following preferences.
Preference Description
Resolve DNS names when possible (Default: on) Disabling this preference causes
Workgroup Manager to stop resolving DNS
names when writing data. If youre having DNS
issues, disabling this can help mitigate the e1ect
of those 0lS issues (but you should 6x those
issues).
Show All Records tab and inspector (0efault. o1) lnabling this preference enables
the Inspector. The Inspector allows you to see
and edit directory data not otherwise visible in
Workgroup Manager. For more information, see
Server Admin Help.
Limit search results to requested records (0efault. o1) when you don't enter anything in
the search 6eld, by default, workgroup Vanager
lists all user records in the selected directory
domain.
Enabling this preference requires you to enter
* (without quotes) to list all records, which can
expedite working with large directory domains
in Workgroup Manager (because Workgroup
Manager doesnt automatically list all records).
List a maximum of # records (0efault. o1) lnabling this preference limits the
maximum number of search results to a number
you specify.
Enabling this preference and setting a reasonable
maximum number can improve Workgroup
Manager performance. However, setting the
number too low can cause you to overlook the
total number of matches.
To set Workgroup Manager preferences:
1 In Workgroup Manager, choose Workgroup Manager > Preferences.
2 Select the preferences you want to change.
3 To reset the warning messages youve marked as Dont show again, click Reset Dont
show again messages.
4 Click OK.
Finding and Listing Accounts
workgroup Vanager provides several methods for 6nding and listing user accounts,
group accounts, computer accounts, and computer groups.
Working with Account Lists in Workgroup Manager
In Workgroup Manager, user accounts, group accounts, computer accounts, and
computer groups are listed on the left side of the Workgroup Manager window.
lhe following settings inuence the contents and appearance of the list.
Workgroup Manager preferences can limit the maximum number of records shown
and whether you want to enable the Inspector (which allows you to view or edit
raw directory data). To set up Workgroup Manager preferences, choose Workgroup
Manager > Preferences.
Open Directory can also limit the maximum number of records shown, so even if
you dont set a maximum number in Workgroup Manager, you might see a subset of
the total number of records.
lhe list reects the directory you've chosen from the globe icon. lf you connect to
the directory server, the accounts in the parent directory domain are listed. If you do
not connect to the directory server, local accounts are listed.
The listed domains are the local directory domain, all directory domains in the
servers search policy, and all available directory domains (domains the server
is con6gured to access, even if not in the search policy). lor instructions on
con6guring a server to access directory domains, see Open Directory Administration.
After you choose directory domains, all accounts residing in those domains
are listed.
You can list users, groups, computers or computer groups by clicking the Users,
Croups, Computers, or Computer Croups buttons above the search 6lter.
To sort a list, click a column heading. An arrow shows the sort order (ascending or
descending), which you can reverse by clicking the column heading again.
ou can search for speci6c items in the list by typing in the 6eld above the accounts
list. To choose the search criteria, use the Search (magnifying glass) pop-up menu.
To work with accounts, select them. Settings for the selected accounts appear in the
pane at the right of the list. Available settings vary, depending on which pane youre
viewing.
Listing Accounts in the Local Directory Domain
When you list accounts in the local directory domain, you list all local accounts.
These local accounts can only be accessed by users of the local computer or server,
not by users of client computers.
Services and programs running on a server can access the servers local directory
domain. Programs running on a client computer, such as the client computers login
window, cant access the servers local directory domain.
lf a server hosts 6le services, users with accounts from the server's local directory
domain can authenticate with the 6le services.
User accounts from the servers local directory domain cant be used to authenticate in
the login window on client computers, because the login window is a process running
on the client computer.
To list accounts in a servers local directory domain:
1 In Workgroup Manager, connect to the server hosting the domain; then click the globe
icon and choose Local.
For servers running Mac OS X Server v10.5 or later, the local directory domain is listed
as /Local/Default.
2 Choose from the following:
To view user accounts, click the Users button.
To view group accounts, click the Groups button.
To view computer accounts, click the Computers button.
To view computer groups, click the Computer Groups button.
3 To work with an account, select it.
Changing account settings or preferences requires server administrator privileges,
so you might need to click the lock to authenticate.
Listing Accounts in Search Policy Directory Domains
A computer's search policy speci6es which directory domains Open 0irectory can
access. lhe search policy also speci6es the order in which Open 0irectory accesses
directory domains. By listing accounts in a search policy, you list the accounts on all
directory domains in the search policy.
You cant edit accounts when listing accounts in a search policy.
For more information about how to set up search policies, see Open Directory
Administration.
To list accounts in search policy domains of the server youre working with:
1 In Workgroup Manager, connect to a server that has a search policy containing the
directory domains of interest.
2 Click the globe icon and choose Search Policy.
Listing Accounts in Available Directory Domains
Using Workgroup Manager, you can list user accounts, group accounts, computer
accounts, and computer groups residing in any available directory domain accessible
from the server youre connected to.
Available directory domains are not the same as directory domains in a search policy.
A search policy consists of the directory domains a server searches routinely when it
needs to retrieve accounts. lowever, the same server might be con6gured to access
directory domains that havent been added to its search policy.
lo learn how to con6gure access to directory domains, see Open Directory
Administration.
To list accounts in a directory domain accessible from a server:
1 In Workgroup Manager, connect to a server where you can access the directory
domains.
2 Click the globe icon and then choose the domain where the users account resides.
If the directory domain is not listed, add it to the pop-up menu by choosing Other.
In the dialog that appears, select the domain and then click OK.
4 To work with an account, select it.
Changing the account requires directory administrator privileges, so you might need
to click the lock to authenticate.
Refreshing Account Lists
If more than one administrator makes changes to directory domains, make sure youre
viewing the current list of user accounts, group accounts, computer accounts, and
computer groups by refreshing the lists.
To refresh account lists, click Refresh in the toolbar. Alternatively, click the globe icon
and then choose the directory domain youre working in from the pop-up menu.
Pndng Sechc Accounts n a Lst
After you've displayed a list of accounts in workgroup Vanager, you can 6lter the list
to 6nd speci6c users or groups.
ou can choose from several 6lters.
Name Contains
Name Starts With
Name Ends With
Name Is
ID Is
ID Is Greater Than
ID Is Less Than
Comment Contains
Keyword Contains
1o h|ter tems n the |st of accounts:
1 After listing accounts, click the Users, Groups, Computers, or Computer Groups button.
2 Click the Search (magnifying glass) pop-up menu, choose an option to describe what
you want to 6nd, and then enter search terms in the search 6eld.
The original list is replaced by items that satisfy your search criteria. If you enter a user
name, both full and short user names are searched. If you enter a group name, short
group names are searched.
3 When the domains youre working with contain thousands of accounts, choose
Workgroup Manager > Preferences and do the following:
To do this Do this
Avoid listing accounts until a 6lter is speci6ed Select Limit search results to requested records.
List all accounts in the selected directory domain lnter "`' (without quotes) in the search 6eld.
Specify the maximum number of accounts to list Select List a maximum of n records, and then
enter a number no greater than 32,767.
Using Advanced Search
Use the Search button in the toolbar to locate speci6c users or groups by searching
several 6elds relevant to them. ou can then batch-edit these search results. lor more
information about batch editing, see Editing Multiple Accounts Simultaneously on
page 48.
ou can search across several 6elds.
Record Name
Real Name
User ID
Comment
Keyword
Group ID
lhere are several 6eld options.
Is less than
Is greater than
Is
Contains
To locate users or groups in the Accounts or Preferences panes:
1 In the Workgroup Manager toolbar, click Search.
ou can also click the Search (magnifying glass) button in the search 6eld above the
accounts list and then choose Advanced Search.
2 Choose a 6eld to search, a 6eld option, and then enter the text you want to search.
3 Click the Add (+) button to add search criteria.
4 Save, rename, or delete a preset by using the Search Presets pop-up menu.
5 After you de6ne your search, click Search low.
After receiving search results, you can clear the search to revert to your default display
or edit the search to re6ne it further. while editing the search, you can save the search
as a preset for later use.
Sorting Users and Groups
After displaying a list of accounts in Workgroup Manager, click a column heading to
sort entries using the values in that column. Click the heading again to reverse the
sort order.
Shortcuts for Working with Accounts
Workgroup Manager provides shortcuts for applying the same settings to new or
existing accounts. ou can also import user and group account information from a 6le.
Using Presets
You can select settings for a user account, group account, or computer group, and save
them as presets. Presets work like templates, allowing you to apply prede6ned settings
to a new account. Using presets, you can easily set up multiple accounts with similar
settings.
You can only use presets during account creation. You cant use a preset to modify
an existing account. You can use presets when creating accounts manually or when
importing them from a 6le.
If you change a preset after it has been used to create an account, accounts already
created using the preset are not updated to reect those changes.
For more information about how to create presets, see Creating a Preset for User
Accounts on page 63.
Editing Multiple Accounts Simultaneously
You can edit settings (if they dont need to be unique) for multiple user accounts,
group accounts, or computer groups at the same time. Simultaneously editing
multiple accounts is referred to as batch editing.
There are two ways to simultaneously edit accounts: select several accounts in the
accounts list, or use the batch edit feature in the Advanced Search dialog.
Unlike when you select several accounts, the batch edit feature allows you to preview
and edit search results before applying changes, and you can view changes and errors
after applying more changes.
There are several ways to select multiple accounts:
To select a range of accounts, hold down the Shift key while clicking.
To select accounts individually, hold down the Command key while clicking.
To deselect accounts, choose Edit > Select All and then Command-click individual
accounts.
Although you can simultaneously edit most account settings for multiple users, some
settings must be made for individual users. For example, you cant assign the same
name, short name, or user l0 to multiple users. workgroup Vanager disables 6elds
where you must provide unique values.
If a setting is not the same for two or more accounts, you might see one of the
following:
Interface element Mixed-state appearance
Sliders, radio buttons, and checkboxes A dash indicates that the setting is not the same
for all selected accounts.
lext 6elds lhe term "varies' or "...' appears in the text 6eld.
Pop-up menu The term --Varies-- appears in the pop-up menu.
Lists The term Data Varies appears in the list.
The mixed-state interface element also appears when you do the following:
Edit managed preferences that were originally set in Mac OS X v10.4 or earlier
Change a preference in the preference editor that corresponds to an interface
element
If you choose a new setting for a mixed-state setting, every account has the new
setting.
lor example, suppose you select three group accounts that have di1erent settings for
the Dock size. When you look at the Dock Display preference pane for these accounts,
the Dock Size slider is centered and has a dash on it. If you change the position of the
Dock Size slider to Large, all selected accounts then have a large-size Dock.
1o batch-edt accounts that match sechc crtera:
1 In Workgroup Manager, select Accounts or Preferences.
2 Click the globe icon below the toolbar and choose the directory domain that contains
the accounts you want to edit.
3 To authenticate, click the lock and enter the name and password of a directory
administrator.
4 In the toolbar, click Search.
ou can also click the magni6er in the search 6eld above the accounts list and then
choose Advanced Search.
5 lo enter search criteria, choose the 6eld to search and the 6eld option, enter the text
you want to search, and then click the Add (+) button to add additional search criteria.
6 Select Perform a batch edit on the search results.
You can do the following:
lo create a list of accounts a1ected when you save batch edits, select "Preview
and edit search results before applying changes. After editing accounts, a dialog
appears listing all accounts a1ected by the batch edit.
To create a list of accounts and changes made to each account after saving batch
edits, select Display postview of changes or errors. After editing accounts, a dialog
appears listing all batch edit results, uncluding the changed records and 6elds.
7 Click Continue.
8 Change account information or preference settings and then click Apply Now.
lf a 6eld is disabled, you can't edit the 6eld while multiple user accounts are selected.
9 If you selected Preview and edit search results before applying changes, you can
remove accounts you dont want to batch edit by selecting them and clicking Remove.
If you perform more batch edits using the same query, removed accounts return to
this list.
10 If you selected Display postview of changes errors and you want to save a text log of
the batch-edit results, click Save and then click OK.
11 To stop batch editing, click Clear.
Importing and Exporting Account Information
ou can use \Vl or character-delimited text 6les to import and export user and
group account information. Importing information can make it easier to set up many
accounts quickly. lxporting information to a 6le is useful for record-keeping. lo back
up account information with passwords intact, archive the directory.
For more information, see the appendix, Importing and Exporting Account
Information.
51
Use this chapter to set up, edit, and manage user accounts.
User accounts give users unique identities on your network and allow you to manage
those users.
You can use Workgroup Manager to view, create, edit, and delete user accounts.
To view user accounts in Workgroup Manager, click the Users button above the
accounts list.
About User Accounts
A user account stores data that Mac OS X Server uses to validate a users identity and
provide services to the user.
Where User Accounts Are Stored
User accounts, group accounts, computer accounts, and computer groups are stored
in a directory domain, available to any Mac OS X computer. A directory domain can
reside on a Mac OS X computer (for example, in an Open Directory domain or other
read/write directory domain), or it can reside on a non-Apple server (for example, on a
non-Apple LDAP or Active Directory server).
If you have read-only access to a directory domain, you can use augmented user
records to enable speci6c settings or manage preferences. because these settings are
speci6c to the augmented records, you don't need to edit the accounts stored in the
original directory domain. The settings you arent allowed to edit are synced with the
directory domain theyre imported from.
lor windows 6le service and other services, you can store user accounts in any
directory domain accessible from the server that needs to authenticate users for a
service.
4
Setting Up User Accounts
If the user account is used for Windows domain login from a Windows computer, you
must store it in the LDAP directory of the Mac OS X Server that is the primary domain
controller (PDC), or in a copy of the LDAP directory on a backup domain controller
(BDC).
A Windows user account that is not stored in the PDC servers LDAP directory can be
used to access other services. For example, Mac OS X Server can authenticate users
with accounts in the server's local directory domain for the server's windows 6le
service.
Mac OS X Server also authenticates users with accounts on other directory systems,
such as an Open Directory master on another Mac OS X Server system, or Active
Directory on a Windows server.
For complete information about the kinds of directory domains, see Open Directory
Administration.
Predehned 0ser Accounts
The following table describes user accounts that are created when you install
Mac OS X Server (unless otherwise indicated). For a complete list, open Workgroup
Manager and choose View > Show System Users and Groups.
2TGFGPGFWUGTPCOG Short name User ID Use
MySQL Server mysql 74 The user that the
MySQL database server
uses for its processes
that handle requests.
sshd Privilege
separation
sshd 75 The user for the sshd
child processes that
process network data.
System Administrator root 0 A user with no
protections or
restrictions.
52 Chapter 4 Setting Up User Accounts
Chapter 4 Setting Up User Accounts 53
2TGFGPGFWUGTPCOG Short name User ID Use
System Services daemon 1 A legacy UNIX user.
Unknown User unknown 99 A user with no login
name or password.
when 6les or volumes
have no real owner,
they are assigned
unknown as their
owner.
Unprivileged User nobody -2 This user was created
so system services
didnt need to run as
System Administrator.
Service-speci6c users
such as World Wide
Web Server are often
used for this purpose.
World Wide Web Server www 70 The nonprivileged user
that Apache uses for its
processes that handle
requests.
Administering User Accounts
You can view, create, edit, and delete user accounts stored in various types of directory
domains.
Creating User Accounts
To create a user account in a directory domain, you must have administrator privileges
for the domain.
To create user accounts in an LDAPv3 directory on a non-Apple server, use Directory
Utility to map the LDAPv3 directory attributes to Open Directory user and group
attributes. For more information about user account elements that might need to be
mapped, see Understanding What You Can Import and Export on page 273.
To create users in an Active Directory domain, use Active Directory administration
tools on a Windows computer. You cant use Workgroup Manager to create user
accounts, group accounts, computer accounts, or computer groups in a standard
Active Directory domain. If you extend the schema of the Active Directory domain,
you can create computer groups in Active Directory.
To create user accounts for Windows users, create them on a Mac OS X Server PDC,
which creates them in the servers LDAP directory. Windows users with accounts on
the PDC server can log in to the Windows domain from a Windows workstation. These
user accounts can be used to authenticate to windows 6le service and other services,
and to Mac OS X computers on the network.
You can create user accounts in the Mac OS X Server PDC LDAP directory but not in
a BDC read-only LDAP directory. If you have a BDC, the PDC server replicates the new
accounts to the BDC.
If you create user accounts in a servers local directory domain, you can only
authenticate for services provided by that server. You cant use these accounts to log
in to a Mac OS X client computer or to perform Windows domain login. However,
windows users can authenticate with windows 6le service, mail service, and other
platform-neutral services.
For instructions on mapping LDAPv3 attributes or connecting to Active Directory,
see Open Directory Administration.
To create a user account:
1 In Workgroup Manager, click Accounts.
2 Make sure the directory services of the Mac OS X Server computer youre using are
con6gured to access the directory domain.
For instructions, see Open Directory Administration.
3 Click the globe icon and then choose the domain where you want the users account
to reside.
For Mac OS X Server v10.5 or later, Local and /Local/Default refer to the local directory
domain.
administrator.
5 Choose Server > New User or click New User in the toolbar.
6 In the panes provided, specify settings for the user.
For details, see Working with Basic Settings on page 65 through Working with
Windows Settings on page 89.
ou can also use a preset or an imported 6le to create a user account. lor details,
see Using Presets to Create Accounts on page 64 and Using Workgroup Manager to
Import Accounts on page 275.
From the command line:
1 Identify an unused user ID by using the dscl tool to display lists of assigned user IDs
and group IDs:
$ dscl /LDAPv3/ipaddress -list /Users UniqueID| awk {print $2} | sort
-n
Replace /LDAPv3/ipaddress with the location of your directory domain (the way it
appears in the search path in Directory Access).
After you enter the command, the dscl tool displays a list of assigned user ID
numbers, similar to the following output. These user IDs are for computer accounts
that are included with Mac OS X Server:
-2
0
1
99
25
26
27
70
71
75
76
77
78
79
501
Important: Select a user ID that isnt in the list of assigned user ID numbers created
when you install Mac OS X Server.
2 Start the dscl tool in interactive mode, specifying the computer you are using as the
source of directory service data, and use the dscl tool to create a nonadministrator
user account:
$ dscl localhost
>
In interactive mode, the dscl tool displays the current folder in the directory domain
(not the current folder in the 6le system) and a ">' character as a prompt.
3 Change the current folder to /LDAPv3/ipaddress/Users by entering the path at the
prompt:
> cd /LDAPv3/ipaddress/Users
Replace ipaddress with the IP address of your directory server.
4 Authenticate as an administrator by entering the following command, replacing
adminusername with your administrator user name, and entering your administrator
password when prompted:
> auth adminusername
5 Create a user account, replacing ajohnson with the new user accounts short name and
specifying the path to the new users home folder in /Users/:
> create ajohnson HomeDirectory <home_dir><url>afp://sp.apple.com/
Users</url><path>ajohnson</path></home_dir>
> create ajohnson NFSHomeDirectory /Network/Servers/sp.apple.com/Users/
ajohnson
Replace sp.apple.com with your home folder servers location.
6 Specify the new users default UNIX shell:
> create ajohnson UserShell /bin/bash
7 Specify the user ID, replacing 1234 with the new users ID:
> create ajohnson UniqueID 1234
8 Specify the long name for the new user account, replacing Anne Johnson with the
actual long name:
> create ajohnson RealName Anne Johnson
9 Review the settings of your new user account by entering the following command,
replacing ajohnson with the new user accounts short name as before:
> read ajohnson
10 View settings for your new user account.
Settings for your new user account appear similar to the following output:
dsAttrTypeNative:apple-generateduid:1B2A3456-E7C8-9EC1-2345-678D912E3456
dsAttrTypeNative:cn: anne johnson
dsAttrTypeNative:gidNumber: 99
dsAttrTypeNative:HomeDirectory: /LDAPv3/ipaddress/Users/ajohnson
dsAttrTypeNative:loginShell: /bin/bash
dsAttrTypeNative:objectClass: inetOrgPerson posixAccount shadowAccount
apple-user extensible object organizationalPerson top person
dsAttrTypeNative:sn: ajohnson
dsAttrTypeNative:uid: ajohnson
dsAttrTypeNative:uidNumber: 1234
AppleMetaNodeLocation: /LDAPv3/ipaddress
GeneratedUID:1B2A3456-E7C8-9EC1-2345-678D912E3456
LastName: johnson
NFSHomeDirectory: /LDAPv3/ipaddress/Users/ajohnson
PasswordPlus:********
PrimaryGroupID: 99
RealName: Anne Johnson
RecordName: ajohnson anne
RecordType: dsRecTypeStandard:Users
UniqueID: 1234
UserShell: /bin/bash
11 Assign a password to the account by entering the following command, replacing
ajohnson with the new accounts short name:
> passwd ajohnson
12 Quit dscl by entering:
> quit
The dscl tool displays Goodbye, and then the standard shell prompt appears.
13 Use the ssh tool to connect to the server where you are hosting home folders:
$ ssh -l username server
Replace username with the name of an administrator user on the remote server and
replace server with the name or IP address of the server.
14 Create the home folder for the new user.
Use the -s option if you are using a network directory domain or the -c option if you
are using a local directory domain. You must run the command to create the home
folder with root privileges.
$ sudo createhomedir -s -u ajohnson
The user account is now complete and can be used for logging in. For more
information, see the dscl man page.
Creating Augmented User Records
Augmented user records are imported user accounts that allow you to enable speci6c
settings such as the users login picture, or to manage preferences. Because these
settings are speci6c to the augmented record, you don't need to edit the accounts
stored in the original directory domain.
The settings you arent allowed to edit are synced with the directory domain theyre
imported from. For example, if you set a login picture for an augmented record,
that augmented record uses the login picture but the original user account remains
unchanged.
You can use augmented user records to manage preferences for accounts stored in an
Active Directory domain or in an Open Directory domain that you dont have editing
permissions for.
To create an augmented user record:
con6gured to access the directory domain containing the original accounts and the
directory domain where the augmented user records will reside.
2 In Workgroup Manager, connect to the server that youre importing augmented
records to.
3 Click Accounts.
4 Click the globe icon and choose the domain youre importing augmented records to.
administrator of the directory domain you chose in the previous step.
6 Choose Server > New Augmented User Records.
7 Select the user records you want to import.
If you select a group, all members of that group are imported.
8 Click Create, and then click Done.
Editing User Account Information
You can use Workgroup Manager to change a user account that resides in an Open
Directory domain, the local directory domain, or other read/write directory domain.
You can modify accounts in an Open Directory domain if youre authorized to
administer the directory domain. You dont need server administrator privileges
but your user ID must have limited or full administrative privileges (which are set in
the Privileges pane of Accounts in Workgroup Manager). For more information, see
Working with Privileges on page 73.
To make changes to a user account:
2 Make sure that the directory services of the Mac OS X Server computer youre using
are con6gured to access the desired directory domain.
3 Click the globe icon and then choose the domain where the users account resides.
If the directory domain is not listed, add it to the pop-up menu by choosing Other.
In the dialog that appears, select the domain and then click OK.
administrator.
5 Click the Users button and select the user account.
6 In the panes provided, edit settings for the user account.
Editing User Account Information from the Command Line
You can set or modify the following user account attributes using dscl:
Attribute Description
apple-GeneratedUID User ID generated by the system
cn Users common name
homeDirectory Location of the users home folder
loginShell Users Terminal shell
sn Users surname
LastName Users last name
NFSHomeDirectory Location of the users Home folder
PrimaryGroupID Users primary group ID
RealName Users name
UserShell Users Terminal shell
To change a user account attribute to a new value:
source of directory service data:
$ dscl localhost
>
2 Change the current folder to
4 Set the user attribute to the desired value by entering the following command:
> create ajohnson attribute newvalue
Replace ajohnson with the user accounts short name, attribute with the name of the
attribute whose value you want to change, and newvalue with the value.
> quit
Working with Read-Only User Accounts
Use Workgroup Manager to review information about user accounts stored in read-
only directory domains. Read-only directory domains include LDAPv2 domains,
l0APv3 domains not con6gured for write access, and bS0 con6guration 6les.
To work with a read-only user account:
are con6gured to access the directory domain where the account resides.
lor information about using 0irectory Utility to con6gure server connections, see Open
Directory Administration. For information about the user account elements that need to
be mapped, see the appendix, Importing and Exporting Account Information.
3 Click the globe icon and choose the directory domain where the users account
resides.
4 Review the users account settings using the panes provided.
Working with Guest Users
You can set up some services to support guest users, who are not authenticated
because they dont have a valid user name or password. You dont need to create a
user account to support guest users.
The following services can be set up to support guest access:
A|e h|e servce. See File Server Administration.
FTP service. See File Server Administration.
Web service. See Web Technologies Administration.
Windows services. See Open Directory Administration.
Users who connect to a server anonymously are restricted to 6les, folders, and websites
with permissions set to Everyone.
Another kind of guest user account is a managed user account that you can con6gure
for easy setup of public or kiosk computers. For more about these kinds of user
accounts, see Chapter 10, Managing Preferences.
Working with Windows User Accounts
Use Workgroup Manager to change passwords, password policies, and other settings
in Windows user accounts.
The user accounts can reside in a servers local directory domain, a Mac OS X Server
PDC LDAP directory, or another directory system that allows read-write access (not
read-only access) such as an Open Directory master LDAP directory or Active Directory
on a Windows server.
You can change the user account settings in the Mac OS X Server PDC LDAP directory
but not in a BDC read-only LDAP directory. If you have a BDC, the PDC server replicates
the changes to the BDC.
Deleting a User Account
You can use Workgroup Manager to delete a user account stored in an Open Directory
domain, the local directory domain, or from any other read/write directory domain.
WARNING: You cannot undo this action.
Deleting a user account also deletes all of the users mail.
To delete a user account using Workgroup Manager:
2 Select the user account you want to delete.
administrator.
4 Choose Server > Delete Selected User or click the Delete icon in the toolbar.
$ dscl localhost
>
2 Change the current folder to /LDAPv3/ipaddress/Users by entering the path at the
prompt:
adminusername with an administrators user name, and entering that administrators
4 Delete the user account by entering the following command, replacing ajohnson with
the user accounts short name:
> delete ajohnson
> quit
Disabling a User Account
To disable a user account, you can:
Deselect the User can access account option in the Basic pane in Workgroup
Manager.
Delete the account.
Change the users password to an unknown value.
Set password options to disable login. This applies to user accounts with the
password type Open Directory or Shadow Password.
To disable a user account using Workgroup Manager:
administrator.
4 In the Basic pane, deselect User can access account and click Save.
1 Disable the user account:
$ pwpolicy -a diradmin -u ajohnson -setpolicy isDisabled=1
Replace ajohnson with the short name of the user account. Replace diradmin with the
short name of your directory administrator account.
Note: The pwpolicy command only works for LDAP/Password server users. For a local
user, use Workgroup Manager or the Accounts pane of System Preferences.
2 Kill the users active processes that are running on the directory server:
$ sudo killall -TERM -u ajohnson
Replace ajohnson with the user name.
3 Wait a few seconds to allow the previous command to execute; then, terminate the
users processes:
$ sudo killall -9 -u ajohnson
Replace ajohnson with the user name.
For more information about terminating processes, see the killall man page.
To reenable a user account using Workgroup Manager:
administrator.
4 In the Basic pane, select User can access account and click Save.
Enable a disabled user account: B
$ pwpolicy -a diradmin -u ajohnson -setpolicy isDisabled=0
Replace ajohnson with the short name of the user account. Replace diradmin with the
short name of your directory administrator account.
Working with Presets
Presets are templates used to de6ne attributes that apply to new user, group,
or computer group accounts.
Creating a Preset for User Accounts
You can create presets to use when creating user accounts in a directory domain.
Presets are stored in the directory domain youre currently viewing. If you change
directory domains, the presets you created in the other directory domain are not
available.
To create a preset for user accounts:
2 Click the globe icon and choose the domain where the users account resides.
administrator.
4 To create a preset using data in an existing user account, open the account; to create a
preset from scratch, create a user account.
5 lf you're basing the preset on an existing account, 6ll in the 6elds with values you
want new user accounts to inherit and then delete values you dont want to specify in
advance.
lhe following attributes can be de6ned in a user-account preset. simultaneous login,
default shell, comment, primary group ID, group membership list, home folder settings,
disk quota, mail settings, and print settings.
6 Click Preferences.
7 Con6gure settings you want the preset to de6ne and then click Accounts.
After con6guring preference settings for a preset, you return to the Accounts settings
to save the preset.
8 From the Presets pop-up menu, choose Save Preset, enter a name for the preset,
and click OK.
The preset is saved to the current directory domain.
Using Presets to Create Accounts
Presets provide a quick way to apply settings to a new account. After applying the
preset, you can continue to modify settings for the new account, if necessary.
You can use presets with user, group, and computer group accounts.
Presets are stored in the directory domain youre viewing. If you change directory
domains, the presets you created in the other directory domain are not available.
When importing accounts, you can apply a preset to the imported account. For more
information, see Using Workgroup Manager to Import Accounts on page 275.
To create an account using a preset:
2 Click the globe icon and then choose the directory domain where you want the new
account to reside.
Make sure the directory domain you choose contains the preset you want to use.
3 To authenticate, click the lock and then enter the name and password of a directory
administrator.
4 Click the Users, Groups, or Computer Groups button.
5 From the Presets pop-up menu, choose a preset.
6 To create accounts, click New User, New Group, or New Computer Group.
7 Add or update attribute values.
Renaming Presets
You can name presets to help remind you of template settings or to identify the type
of user account, group account, or computer group that the preset is best suited for.
To rename a preset:
2 Click the globe icon and then choose the directory domain that has the preset you
want to rename.
administrator.
4 From the Presets pop-up menu, choose Rename Preset.
5 Choose a preset from the Rename preset pop-up menu, enter a name, and then
click OK.
Editing Presets
When you change a preset, existing accounts that were created with it are not
updated to reect the changes.
ou edit a preset by using it to create an account, changing 6elds de6ned by the
preset, and then saving the preset.
To edit a preset:
2 Click the globe icon and choose the directory domain with the preset you want
to edit.
administrator.
4 Click the Users, Groups, or Computer Groups button.
6 Click New User, New Group, or New Computer Group to create accounts.
7 Change account settings that you want to save to the preset.
8 After completing your changes, choose Save Preset from the Presets pop-up menu,
enter the name of the preset you want to change, click OK, and then click Replace.
Deleting a Preset
If you no longer need a preset, you can delete it.
To delete a preset:
2 Click the globe icon and choose the directory domain with the preset you want to
delete.
administrator.
4 From the Presets pop-up menu, choose Delete Preset.
5 Select the preset you want to delete and click Delete.
Working with Basic Settings
basic settings are a collection of attributes that must be de6ned for all users.
In Workgroup Manager, use the user accounts Basic pane to work with basic settings.
Modifying User Names
The user name is the long name for a user, such as Mei Chen or Dr. Anne Johnson.
(In addition to the long name, sometimes the user name is referred to as the full name
or the real name.) Users can log in using the user name or a short name associated
with their accounts.
A user name can contain no more than 255 bytes. Because long user names support
various character sets, the maximum number of characters for long user names
ranges from 255 Roman characters to as few as 63 characters in character sets where
characters occupy up to 4 bytes.
Use Workgroup Manager to edit the user name of an account stored in an Open
You can also use Workgroup Manager to review the user name in any directory
domain accessible from the server youre using.
To work with the user name using Workgroup Manager:
2 Select the user account you want to work with.
To select the account, click the globe icon, choose the directory domain where the
account resides, and then select the user account in the accounts list.
administrator.
4 ln the lame 6eld (in the basic pane), review or edit the user name.
Initially, the value of the user name is Untitled #, where # is the sequential number
generated after the last generated number for an existing untitled user.
Avoid assigning the same name to more than one user. Workgroup Manager doesnt
let you assign the same name to di1erent users in any domain or in a domain in the
search policy. However, it cant detect whether duplicates exist in other domains.
Modifying Short Names
A short name is an abbreviated name for a user, such as mchen or annejohnson.
Users can log in using a short name or the user name associated with his or her
accounts. The short name is used by Mac OS X for home folders.
When Mac OS X creates a users local or network AFP home folder, it names the
directory after the users short name. For more information about home folders, see
Chapter 7, Setting Up Home Folders.
You can have as many as 16 short names associated with a user account. For example,
you might want to use multiple short names as aliases for mail accounts. lhe 6rst short
name is the name used for home folders and legacy group membership lists. Dont
reassign that name after you save the user account.
lor the 6rst short user name, use only these characters. Subsequent short names can
contain any Roman character.
a through z
A through Z
0 through 9
_ (underscore)
- (hyphen)
. (period)
Typically, short names contain eight or fewer characters.
lnitially, the value of the 6rst short name is "untitled_#,' where # is the sequential
number generated after the last generated number for an existing untitled user.
Avoid assigning the same name to more than one user. Workgroup Manager doesnt
let you assign the same name to di1erent users in a domain or in a domain search
policy. However, it cant detect whether duplicates exist in other domains.
After the user's account is saved you can't change the 6rst short name but you can
change any of the other short names.
Use Workgroup Manager to edit the short name of an account stored in an Open
You can also use Workgroup Manager to review the short name in any directory
domain accessible from the server youre using.
To work with a user short name using Workgroup Manager:
account resides, and then select the user account.
administrator.
4 Click basic, then in the Short lames 6eld review or edit the short names.
To do this Do this
Change a short name Double-click the short name and then replace it.
Add a short name Double-click the blank entry at the bottom of the
short name list and then enter a short name.
Choosing Stable Short Names
When you create a user account, assign the account a short name that wont be
changed. After creating the account, you cant use the Basic pane of Workgroup
Vanager to change a user's 6rst short name.
lo change a user's 6rst short name, create an account for the user in the same
directory domain that contains the new 6rst short name and retain all other account
information (user ID, primary group, home folder, and so on). Make sure you use the
same GUID for the new account. Then disable the login for the old user account.
After you disable the old login, the user can log in using the changed name but will
have the same access to 6les and other network resources as before and will belong to
the same groups.
For more information, see Working with GUIDs on page 92, andDisabling a User
Account on page 62.
Avoiding Duplicate Names
A users short name is used by the login window. This means that having multiple
users with the same short name causes a conict. Although you can't create multiple
users with the same short name in the Basic pane of Workgroup Manager, its still
possible to create multiple users with the same short name when you use command-
line tools or the Inspector.
If multiple user accounts have the same long user name on a Mac OS X computer,
the login window displays a list of users to choose from.
lf two users have the same 6rst short user name, the login window only recognizes
and authenticates the 6rst matching user account it 6nds in the sequence of directory
domains speci6ed by the computer's search policy, as set in 0irectory Utility.
lf a local user and a network user have the same 6rst short user name, the local
user always takes precedence, preventing the network user from logging in to the
computer.
In groups created using Mac OS X versions earlier than 10.4, group membership is
determined by the user's 6rst short name and group l0 (Cl0). lf multiple users have
the same 6rst short name, they have the same group memberships.
Groups created using Mac OS X Server v10.4 or later determine group membership
using a GUID and a combination of the users short name and GID. For information
about GUIDs, see Working with GUIDs on page 92.
If you dont upgrade legacy groups, the groups still determine membership by only
the user's 6rst short name and Cl0. lor instructions on upgrading legacy groups, see
Upgrading Legacy Groups on page 102.
To ensure that users have the correct legacy group membership, do not use duplicate
user short names.
To see if names are in use from the command line:
To see if a short name is in use: B
$ id shortname
The command searches all connected directories and lists users with the shortname.
To get the default UNIX short name for a user long name: B
$ sudo /System/Library/ServerSetup/serversetup -getUNIXName longname
Note: Mac OS X Server provides the net tool, which is essentially a clone of the
Windows net command. The net tool enables administrators to perform advanced
customization of the Primary Domain Controller (PDC) and mapping domain privileges
to UNIX groups. For more information, see the net man page.
To view a users account information: B
$ dscacheutil -q user -a name jdoe
name: jdoe
password: ********
uid: 501
gid: 501
dir: /Users/jdoe
shell: /bin/csh
gecos: John Doe
To view all user accounts: B
$ dscacheutil -q user
For more information about dscacheutil, see its man page.
Modifying User IDs
A user ID is a number that uniquely identi6es a user. Vac OS \ computers use the user
l0 to track a user's folder and 6le ownership.
when a user creates a folder or 6le, the user l0 is stored as the l0 of the user who
created the folder or 6le. lhis user l0 has read and write permissions to the folder or
6le by default.
The user ID should be a unique string of digits from 500 through 2,147,483,647. It is
risky to assign the same user l0 to di1erent users, because two users with the same
user l0 have identical directory and 6le permissions.
User IDs between 0 and 100 are reserved for system use and should not be deleted
or modi6ed except to change the password of the root user. Accounts with user l0s
below 100 arent listed in the login window.
ln general, after user l0s are assigned and users start creating 6les and folders, you
shouldnt change user IDs. However, one possible scenario where you might need to
change a user l0 is when merging users that were created on di1erent servers onto
a new server or cluster of servers. The same user ID might still be associated with a
di1erent user on the previous server.
When you create a user account in a shared directory domain, Workgroup Manager
assigns a user ID. The value assigned is an unused user ID (1025 or greater) in the
servers search policy. (Users created using the Accounts pane of System Preferences
are assigned user IDs starting at 501.)
You can use Workgroup Manager to edit the user ID of an account stored in an Open
Directory domain or in the local directory domain. You can also use Workgroup
Manager to review the user ID in any directory domain accessible from the server
youre using.
To change a user ID in Workgroup Manager:
To select an account, click the globe icon above the accounts list, choose the directory
domain where the users account resides, and then select the user.
administrator.
4 ln the basic pane, specify a value in the User l0 6eld.
Make sure the value is unique for all directory domains set in the search policy of
computers that the user logs in to. Workgroup Manager warns you if you change the
value to another user ID in the same directory domain.
ou can quickly 6nd all existing user l0s by choosing view > "Show System Users
and Groups, and then clicking the UID column header in the accounts list to sort the
accounts by user ID.
To see if a user ID is in use from the command line:
$ sudo /System/Library/ServerSetup/serversetup -verifyUID uid
The command displays a 1 if the UID is in use, or a 0 if it isnt.
To view names associated with a user ID is in use from the command line:
$ sudo /System/Library/ServerSetup/serversetup -getNamesByID uid
If you dont receive a response, the UID is not valid.
Assigning a Password to a User
When you create a user account, you must assign a password to the user. You can reset
the user's password by replacing the password 6eld with a new password.
For information about choosing secure passwords, see /oc O5 \ 5ecut|ty coohqutot|oo.
When you export user accounts using Workgroup Manager, password information
isn't exported. lf you want to set passwords, you can modify the export 6le before you
import it, or you can set passwords after importing. You can also manually create a
text-delimited import 6le and include passwords in it.
For more information about importing user accounts, see Understanding What You
Can Import and Export on page 273.
To assign a password:
administrator.
4 ln the basic pane, enter a password in the Password 6eld, enter it again in the verify
6eld, and then click Save.
To test a users password from the command line
$ sudo /System/Library/ServerSetup/serversetup -verifyNamePassword
shortname password
The command displays a 1 if the password is good, or a 0 if it isnt.
Assigning Administrator Privileges for a Server
A user who has server administrator privileges controls most of the servers
con6guration settings and can use applications (such as Server Admin) that require a
user to be a member of the servers administrator group.
You can use Workgroup Manager to assign server administrator privileges to a user
with an account stored in an Open Directory domain. You can also use Workgroup
Manager to review the server administrator privileges in any directory domain
accessible from the server youre using.
To set server administrator privileges in Workgroup Manager:
1 Log in to Workgroup Manager by specifying the name or IP address of the server you
want to grant administrator privileges for.
2 Click Accounts.
3 Click the globe icon and choose Local.
4 Click the lock and enter the name and password of a local administrator.
5 Click the globe icon and choose the directory domain where the users account
resides.
6 Click the lock and enter the name and password of a directory administrator.
7 Select a user account.
8 In the Basic pane, select User can administer this server.
To create a local administrator user account: B
$ sudo /System/Library/ServerSetup/serversetup -createUser fullname
shortname password
Enter the name, short name, and password in the order shown. If the full name
includes spaces, enter it in quotes.
The command displays a 0 if successful, or a 1 if the full name or short name is already
in use.
lo create a local administrator user with a speci6c Ul0. B
$ sudo /System/Library/ServerSetup/serversetup -createUserWithID fullname
shortname password uid
Enter the name, short name, password, and UID in the order shown. If the full name
The command displays a 0 if successful, or a 1 if the full name, short name, or UID is
already in use or if the Ul0 you speci6ed is less than 100.
lo create a local administrator user with a speci6c Ul0 and home folder. B
$ sudo /System/Library/ServerSetup/serversetup -createUserWithIDIP
fullname shortname password uid homedirpath
Enter the name, short name, password, and UID in the order shown. If the full name
The command displays a 0 if successful, or a 1 if the full name, short name, or UID is
already in use or if the Ul0 you speci6ed is less than 100.
To see if a user is a server administrator: B
$ sudo /System/Library/ServerSetup/serversetup -isAdministrator
[shortname]
The command displays a 0 if the user is an administrator, or a 1 if the user is not an
administrator.
Choosing a Users Login Picture
You can change a users login picture using Workgroup Manager. This picture
represents the user in the login window, in the Directory application, and in group
web services, and is the default buddy icon for the user in iChat.
Although you can use an image 6le of any size, you should use an image that is 64x64
pixels in size. If you use a larger image, resize and crop it in Workgroup Manager.
To change a users login picture:
administrator.
4 In the Basic pane, click the picture area in the top right and then choose Edit Picture to
open the User Picture window.
5 ln the User Picture window, click Choose, select an image 6le, and then click Open.
As an alternative, you can drag an image 6le from the linder or Safari and drop it
into the picture area in Workgroup Manager, or in the main area of the User Picture
window.
If you have iSight, you can click the camera button to take a snapshot.
6 Use the slider to zoom in and out of your picture and drag your picture around so the
focal point is in the center square, and then click Set.
The users picture is the image in the center square.
7 Click Save.
Working with Privileges
You can give a user account full or limited control over domain administration. When
giving limited administrative control, you can choose which users and groups the user
can administer, and what kind of control the user has over those users and groups.
You can change a users domain privileges for Open Directory domains. You cant
change privileges for a local user account or an account stored in domains that are not
Open Directory.
Full and limited administrators use Workgroup Manager to administer and manage
users.
In Workgroup Manager, use the user accounts Privileges pane to set privileges.
Removing Administrative Privileges from a User
Users with no administrative privileges can use Workgroup Manager to view (but not
change) accounts in a directory domain.
You can change a users domain privileges for LDAPv3 directory domains. You cant
change privileges for a local user account or an account stored in a non-LDAPv3
directory domain.
To remove a users administrative privileges:
administrator.
4 In Privileges, choose None from the Administration capabilities pop-up menu and
click Save.
Giving a User Limited Administrative Capabilities
You can allow users who dont need full administrative control the ability to perform
common administrative tasks by giving them limited administrative control.
For example, you might want student lab assistants to reset other students passwords
but not to edit the groups they belong to. Similarly, you might want school sta1 to edit
student user information but not their managed preferences.
When a user has limited administrative control, after authenticating in Workgroup
Manager, the Workgroup Manager interface only allows users to perform tasks
assigned to the limited administrator.
The following tasks are available to limited administrators:
Task Description
Manage user passwords Change a users password in the user accounts
Basic pane. A limited administrator cant change a
full administrators password.
Edit managed preferences Change managed preference settings.
Edit user information Edit the user accounts Info pane.
Edit group membership Edit the user accounts Groups pane or the group
accounts Members pane.
lf you give a user di1erent administrative capabilities at several account levels, the
capabilities are merged.
For example, lets say a user named Anne Johnson is a member of the Algebra 101
group, and the Algebra 101 group is a member of the All Classes group. You give
another user, Ravi Patel, the following administrative control:
Manage user passwords rights for All Users and Groups
Edit managed preferences rights for the All Classes group
Edit user information rights for the Algebra 101 group
Edit group membership rights for the Anne Johnson user account
Ravi Patel has all four abilities for Anne Johnsons user account.
directory domain.
To add limited administrative capabilities:
administrator.
4 In Privileges, choose Limited from the Administration capabilities pop-up menu.
5 To control the level of user or group administration, click the Add (+) button and drag
users and groups from the drawer to the User can administer list.
6 Select a user or group from the User can administer list and then select the
administration capabilities you want the limited administrator to have.
To give administrative control to all users and groups, select All Users and Groups and
then select administrative capabilities.
7 Click Save.
Giving a User Full Administrative Capabilities
A user with full administrative capabilities is also known as a directory administrator.
Directory administrators can modify any records in the directory domain and are the
only users who can change the passwords of other directory administrators.
directory domain.
To change a users administrative privileges:
administrator.
4 In Privileges, from the Administration capabilities pop-up menu, choose Full, and then
click Save.
source of directory service data.
Use the dscl tool to create a directory administrator user account.
$ dscl localhost
>
In interactive mode, the dscl tool displays the current folder in the directory domain
(not the current folder in the 6le system) and a ">' character as a prompt.
2 After you connect to the directory, choose the directory domain and change the
current folder to LDAPv3/ipaddress/Groups:
> cd LDAPv3/ipaddress/Groups
4 Create an administrator user.
> append admin Member adminusername
This command creates an administrator user, but it doesnt add the globally unique
identi6er (CUl0) of the administrator user to the group account.
5 Add the administrator user to the group.
> append admin GroupMembers guid
Replace guid with the globally unique identi6er.
6 Quit the dscl tool.
> quit
Working with Advanced Settings
Advanced settings include login settings, keywords, password type, and searchable
comments. In Workgroup Manager, use the user accounts Advanced pane to work
with advanced settings.
Enabling a Users Calendar
If you connect to a server running Mac OS X Server v10.5 and iCal service with
individual user calendars enabled, you can con6gure user accounts to use iCal server.
When users use iCal to log into the server, they can access their calendars.
If you connect to a server running Mac OS X Server v10.6 or later, use iCal Service
Utility to con6gure user calendars.
To enable a users calendar:
administrator.
4 In Advanced, select Enable calendaring, choose a server from the pop-up menu,
and then click Save.
Allowing a User to Log In to More Than One Computer at a Time
You can allow a managed user to log in to more than one managed computer at a
time, or you can prevent the user from doing so.
Note: Simultaneous login is not recommended for most users. You might want to
reserve simultaneous login privileges for technical sta1, teachers, or other users with
administrator privileges. (If a user has a network home folder, thats where the users
application preferences and documents are stored. Simultaneous login can change
these items, and many applications dont support such changes while the applications
are open.)
You can only disable simultaneous login for users with AFP home folders.
To allow a user to log in to more than one computer at a time:
administrator.
4 Click Advanced.
5 Select Allow simultaneous login on managed computers.
Choosing a Default Shell
You can change the default shell that the user uses for command-line interactions with
Mac OS X, such as /bin/tcsh or /bin/bash (the default).
The default shell is used by the Terminal application on the computer that the user
is logged in to, but Terminal has a preference that lets you override the default shell.
The default shell is used by secure shell (SSH) when the user logs in to a remote
Mac OS X computer.
Note: Terminal has a preference that allows the user to override the default shell.
To choose a default shell:
administrator.
4 To specify the users default shell when logging in to a Mac OS X computer, choose a
shell from the Login Shell pop-up menu.
To specify a shell that doesnt appear in the list, choose Custom and then enter the
path to the shell.
To ensure that a user cant access the server remotely using the command line,
choose None.
Choosing a Password Type and Setting Password Options
For user accounts in the LDAP directory of an Open Directory server, you can set
the password type to Open Directory or Crypt Password. User accounts in the local
directory domain have a password type of Shadow Password.
When you set the password type to Shadow Password or Open Directory, you can set
several password policy options, including disabling login after a period of inactivity or
failed authentication attempts, or setting password restrictions (such as requiring that
passwords have a speci6c minimum length or that they be changed at the next login).
If you set the password type to Shadow Password, you can also set security options to
control which authentication methods are used when validating the users password.
You can only assign the Open Directory password type if the directory administrator
account that you authenticate with also uses an Open Directory password.
Windows users must have Open Directory passwords for Windows domain login.
For a detailed explanation of password types, password policy options, and security
options, see Open Directory Administration.
To choose a user password type and set password options:
administrator.
4 Click Advanced.
5 From the User Password Type pop-up menu, choose Shadow Password,
Open Directory, or Crypt Password.
When you choose a password type, a prompt might appear requiring you to enter a
password, depending on whether you entered a password in the Basic pane.
If you choose Open Directory or Shadow Password, you can set a password policy for
the selected users by clicking Options, selecting any of the options, and clicking OK.
If you choose Shadow Password, you can also select authentication methods by
clicking Security.
6 Click Save.
Creating a Master List of Keywords
ou can de6ne keywords that enable quick searching and sorting of user accounts.
Using keywords can simplify tasks such as creating groups or editing multiple user
accounts.
Before you begin adding keywords to user records, you must create a master keyword
list. The list of keywords shown in the Advanced pane for a selected user applies only
to that user.
Each directory domain has its own master keyword list. For example, if you add a
keyword to the local directory domains master keyword list, it isnt available in another
directory domain unless you add it to that directory domains master keyword list.
To edit the master keyword list:
administrator.
4 Click Advanced and choose from the following:
To do this Do this
View the master keyword list, which lists all terms
available for use as keywords
Click the Edit (pencil) button. You can access and
edit the master keyword list from any selected
user account.
Add a keyword to the master list Click the Add (+) button and enter the keyword
in the text 6eld.
Remove a keyword from the master list and from
user and computer accounts where it appears
Select the keyword, select Remove deleted
keywords from users and computers, and then
click the Remove () button.
Remove a keyword only from the master list Deselect Remove deleted keywords from users
and computers, select the keyword you want to
remove, and then click the Remove () button.
5 when you 6nish editing the master list, click OK.
Applying Keywords to User Accounts
You can remove a keyword from all user accounts that are tagged with that keyword.
However, you can only add keywords to one user account at a time.
To work with keywords for a user account:
administrator.
4 Click Advanced and choose from the following:
To do this Do this
Add a keyword to the account Click the Add (+) button to view the list of
available keywords, select keywords in the list,
and then click OK.
Remove a keyword from the account Select the keyword you want to remove and click
the Remove () button.
5 when you 6nish adding or removing keywords for the user account, click Save.
Editing Comments
You can save a comment in a users account to provide information you might need to
help administer a user. A comment can contain no more than 32,767 bytes.
Note: Some character sets use characters that occupy up to 4 bytes. This reduces the
total number of characters you can use.
You can use Workgroup Manager to add a comment to an account stored in an Open
You can also use Workgroup Manager to review the comment in any directory domain
accessible from the server youre using.
To work with a comment using Workgroup Manager:
administrator.
4 Click Advanced and edit or review the contents of the Comment 6eld.
Working with Group Settings
Group settings identify the groups a user belongs to. In Workgroup Manager, use the
Group Settings pane in the users account to work with group settings.
For information about how to administer group accounts, see Chapter 5, Setting Up
Group Accounts.
Choosing a Users Primary Group
A primary group is the fastest way to determine whether a user has group permissions
for a 6le. lhe primary group l0 is used by the 6le system when the user accesses a 6le
that he or she doesn't own. lhe 6le system checks the 6le's group permissions, and if
the primary group l0 of the user matches the l0 of the group associated with the 6le,
the user inherits group access permissions.
Important: 0on't rely on primary group membership when assigning 6le permissions.
Although you can make a primary group a hierarchical group or a parent of
hierarchical groups, the 6le permissions for the primary group do not propagate.
If a users primary group is a hierarchical group or the parent of a hierarchical group,
the user is granted 6le permissions only for the primary group.
If the user does not belong to other groups, the user belongs to the primary group.
lf a user selects a di1erent workgroup at login, the user still retains access permissions
from the primary group.
The primary group ID should be a unique string of digits. By default, the primary group
l0 is 20 (which identi6es the group as "sta1'), but you can change it. lhe maximum
value for a group ID is 2,147,483,647.
Use workgroup Vanager to de6ne the primary group l0 of an account stored in an
Open Directory domain, the local directory domain, or other read/write directory
domain. You can also use Workgroup Manager to review the primary group
information for any directory domain accessible from the server youre using.
To set a primary group ID using Workgroup Manager:
administrator.
4 Click Croups and then edit or review the Primary Croup l0 6eld.
Workgroup Manager displays long and short names for the group after you enter a
primary group ID (if the group exists and is accessible in the search policy of the server
youre logged in to).
Reviewing a Users Group Memberships
You can use Workgroup Manager to review the groups a user belongs to if the user
account resides in a directory domain accessible from the server youre using.
You can view all groups the user belongs to and the parent groups of those groups.
To review group memberships using Workgroup Manager:
administrator.
4 Click Groups.
Except for the primary group, all other groups the user belongs to are listed in the
Other Groups list.
5 To view parent groups, click Show Inherited Groups.
Parent groups are shown in italics.
Adding a User to a Group
Add a user to a group when you want multiple users to have the same 6le permissions
or when you want to manage their Mac OS X preferences using workgroups or
computer groups.
For example, you can have groups for students in a classroom who are not permitted
to use a speci6ed printer, or for the quality control team in a factory that requires
access to the internal reports of di1erent groups.
Groups can include users and groups that are in an Open Directory domain or the
local directory domain. If you use an NFS directory, there is a 16-group limitation.
You can also add users to a group using the Members pane in the group account.
If a user is a direct member of multiple groups, he or she can choose which group
to acquire managed preferences from when logging in. You can manage Login
preferences so that preferences are combined from all workgroups accessible by
the user.
Note: There is no limit to the number of groups a user can belong to.
To add a user to a group using Workgroup Manager:
administrator.
4 Click Groups and then click the Add (+) button.
lhis opens a drawer that lists the groups de6ned in the directory domain you're
working with.
5 Select the group and then drag it to the Other Groups list in the Groups pane.
For information about adding users and groups to groups using the command line,
see Adding Users or Groups to a Group on page 107.
Removing a User from a Group
You can use Workgroup Manager to remove a user from a group if the user and group
accounts reside in an Open Directory domain or the local directory domain.
To remove a user from a group using Workgroup Manager:
administrator.
4 Click Groups.
5 Select the groups you want to remove the user from and then click the Remove ()
button.
You can also remove users from a group by using the Members pane of group
accounts. For more information, see Removing Group Members on page 109.
Working with Home Settings
Home settings describe a users home folder attributes. If you dont have a share point
set up to host home folders, you must set one up. To set up share points, use Server
Admin. To set up home folders, use Workgroup Manager.
For information about setting up share points and home folders, see Chapter 7, Setting
Up Home Folders.
Working with Mail Settings
You can create a mail account by specifying mail settings in the user account. To use
the mail service account, the user con6gures a mail client to identify the user name,
password, mail service, and mail protocol you specify in the mail settings.
In Workgroup Manager, use the Mail pane in the user account to work with mail
settings.
For information about how to set up and manage Mac OS X Server mail service,
see Mail Server Administration.
Enabling Mail Service Account Options
You can use Workgroup Manager to enable mail service and set mail options for a user
account stored in an Open Directory domain or other read/write directory domain.
You can also use Workgroup Manager to review the mail settings of accounts stored in
a directory domain accessible from the server youre using.
To work with a users mail account options using Workgroup Manager:
administrator.
4 Click Mail.
5 To allow the user to use mail service, select Enabled.
6 ln the Vail Server 6eld, enter a valid mail server name or address for the 0lS name,
or enter the IP address of the users mail server.
Workgroup Manager doesnt verify this information.
7 ln the Vail Quota 6eld, enter a value to specify the maximum number of megabytes
for the users mailbox.
A 0 (zero) or empty value means no quota is used.
When the users message space approaches or surpasses the mail quota you specify,
mail service displays a message prompting the user to delete unwanted messages to
free up space. The message shows quota information in megabytes (MB).
8 To identify the protocol used for the users mail account, select a Mail Access setting:
Post O1ce Protocol (POP), lnternet Vessage Access Protocol (lVAP), or both.
9 Click Save.
Disabling a Users Mail Service
You can use Workgroup Manager to disable mail service for users whose accounts are
stored in an Open Directory domain, the local directory domain, or other read/write
directory domain.
To disable a users mail service using Workgroup Manager:
administrator.
4 Click Mail, select None, and then click Save.
Forwarding a Users Mail
You can use Workgroup Manager to set up mail forwarding for users whose accounts
are stored in an Open Directory domain or the local directory domain.
To forward a users mail using Workgroup Manager:
administrator.
4 Click Mail, select Forward, and then enter the forwarding mail address in the Forward
lo 6eld.
Make sure you enter the correct address. Workgroup Manager doesnt verify that the
address exists.
5 Click Save.
Working with Print Quota Settings
User print settings de6ne the ability of a user to print to accessible Vac OS \ Server
print queues.
For information about how to set up print queues, see Print Server Administration.
In Workgroup Manager, use the Print Quota pane in the user account to work with
print quota settings.
Enabling a Users Access to All Available Print Queues
You can use Workgroup Manager to allow a user to print to all accessible Mac OS X
print queues that enforce quotas. To use Workgroup Manager to enable access to print
queues, the users account must be stored in an Open Directory domain or the local
directory domain.
To set a users print quota for all available print queues enforcing quotas:
administrator.
4 In Print Quota, select All Queues.
5 lnter values for the maximum number of pages the user can print in a speci6c number
of days.
lor the settings to take e1ect, the print queue must enforce quotas.
6 Click Save.
Lnab|ng a 0ser's Access to Sechc Prnt ueues
ou can use workgroup Vanager to allow a user to print to speci6c accessible
Mac OS X print queues that enforce quotas. To use Workgroup Manager to enable
access to print queues, the users account must be stored in an Open Directory domain
or the local directory domain.
1o set a user's rnt quota for sechc rnt queues enforcng quotas:
administrator.
4 In Print Quota, select Per Queue.
5 If the print queue you want to specify is not on the Queue Name pop-up menu, click
Add, enter the queue name, and then specify the IP address or DNS name of the server
where the queue is de6ned in the Print Server 6eld.
lor your settings to take e1ect, the print queue must enforce quotas.
6 To give the user unlimited printing rights to the queue, select Unlimited printing;
otherwise, select Limit to and specify the maximum number of pages the user can
print in a speci6c number of days.
7 Click Save.
Removing a Print Quota for a Queue
If you no longer require a print quota for a queue, you can use Workgroup Manager to
delete the quota for speci6c users.
lo delete speci6c print quotas, you must manage print settings per queue.
To delete a users print quota using Workgroup Manager:
account resides, and then select the user in the list.
administrator.
4 Click Print Quota and then select Per Queue.
5 Choose the users print queue that you want to delete from the Queue Name pop-up
menu.
6 Click Delete and then click Save.
Resetting a Users Print Quota
Occasionally, a user exceeds his or her print quota and needs to print additional pages.
For example, an administrator might want to print a 200-page manual, but the print
quota is only 150 pages. Or a student might exceed his or her quota by printing several
revisions of the same essay.
You can use Workgroup Manager to reset a users print quota and allow the user to
continue printing.
You can also extend a users page limit without resetting the quota by changing
the number of pages allowed for the user. In this way, the time period for the quota
remains the same and is not reset, but the number of pages the user can print during
that period is adjusted for current and future print quota periods.
To restart a users print quota using Workgroup Manager:
administrator.
4 Click Print Quota.
5 If youre managing All Queues, click Restart Print Quota.
6 If youre managing Per Queue, choose a print queue from the Queue Name pop-up
menu and then click Restart Print Quota.
7 To increase or decrease a users page limit, enter a new number in the Limit to ___
pages' 6eld.
8 Click Save.
Disabling a Users Access to Print Queues That Enforce Quotas
You can use Workgroup Manager to prevent a user from printing to any accessible
Mac OS X print queues that enforce quotas.
To use Workgroup Manager to disable access to print queues, the users account must
be stored in an Open Directory domain or the local directory domain.
To disable a users access to print queues enforcing quotas:
administrator.
4 Click Print Quota and then select None.
Working with Info Settings
If a users account resides in an LDAPv3 directory domain, it can contain information
imported from Address Book.
Attributes that are tracked in the Info pane include:
Name
Address
Phone number
Email address
Chat names
Homepage URL
Weblog URL
Other users can view the information in this pane when they view the user account in
Workgroup Manager and Directory.
To change a users info:
administrator.
4 Click lnfo, enter or change values, and when you 6nish, click Save.
Working with Windows Settings
windows users have settings for a windows home folder, a roaming user pro6le,
and a Windows login script. You can change these settings in the Windows pane of
Workgroup Manager.
You can change user account settings in the Mac OS X Server PDC LDAP directory but
not in a BDC read-only LDAP directory. If you have a BDC, the PDC server replicates
changes to the BDC.
Changng a Wndows 0ser's Proh|e Locaton
ou can change where a windows user's pro6le settings are stored. lhe pro6le includes
the users My Documents folder, favorites (web browser bookmarks), preference
settings (such as backgrounds and event sounds), and more.
User pro6les are stored in /Users/Pro6les/ on the P0C server. lhis is an SVb share
point, although it is not shown as a share point in Workgroup Manager.
ou can designate a di1erent location for a user pro6le, which can be a share point
on the PDC server or a Windows domain member server. The share point must be
con6gured to use SVb.
User pro6les can be located in a share point or in a folder in a share point. lhe share
point or folder used for user pro6les must have the proper access privileges.
Set the owner to root and give the owner Read & Write permission. Set the group to
the user's primary group (which is normally "sta1') and give the group Read 8 write
permission. Set the permission for everyone else to None.
For instructions, see Setting Up an SMB Share Point on page 130.
lnstead of storing a roaming pro6le in a share point on a server, you can designate the
location of a local pro6le stored on the windows computer.
1o change the Wndows roamng roh|e |ocaton for a user account:
2 Open the user account whose pro6le location you want to change.
To open a user account in the PDC, click the globe icon and choose the PDC servers
LDAP directory.
administrator.
4 Click windows and enter the new pro6le location in the User Pro6le Path 6eld.
lo use the default share point for user pro6les, leave this 6eld blank.
lor a roaming pro6le stored in a di1erent share point, enter the location of the share
point using the universal naming convention (UNC) format:
\\servername\sharename\usershortname
For servername, substitute the NetBIOS name of the PDC server or a Windows
domain member server where the share point is located.
To view the servers NetBIOS name, open Server Admin, select SMB in the Servers
list, click Settings, click Ceneral, and then look at the Computer lame 6eld.
For sharename, substitute the name of the share point.
For usershortname, substitute the 6rst short name of the user account you're
con6guring.
lor a local pro6le stored on the windows computer, enter the drive letter and folder
path in UNC format as in the following example:
C:\Documents and Settings\juan
5 Click Save.
Changing a Windows Users Login Script Location
You can use Workgroup Manager to change the folder location of a users Windows
login script in the /etc/netlogon/ folder on the PDC server.
To change the Windows login script location for a user account:
2 Open the user account whose Windows login script location you want to change.
LDAP directory.
administrator.
4 Click windows and enter the new login script location in the login Script 6eld.
Enter the relative path to a login script in /etc/netlogon/ on the PDC server.
For example, if an administrator places a script named setup.bat in /etc/netlogon/,
the login Script 6eld should contain "setup.bat.'
5 Click Save.
Changing a Windows Users Home Folder Drive Letter
You can use Workgroup Manager to change the Windows drive letter that a users
home folder is mapped to.
To change the Windows home folder drive letter for a user account:
2 Open the user account whose Windows home folder drive letter you want to change.
LDAP directory.
administrator.
4 Click Windows and choose a drive letter from the Hard Drive pop-up menu.
The default drive letter is H. Windows uses the drive letter to identify the mounted
home folder.
5 Click Save.
Changing a Windows Users Home Folder Location
You can change where a Windows users network home folder is stored. By default, the
network home folder is the same for Windows as it is for Mac OS X, and its location is
speci6ed in the lome pane.
For more information, see Setting Up a Home Folder for a Windows User on page 138.
Working with GUIDs
Although you can view and modify most user account attributes using the Accounts
pane in Workgroup Manager, you must use the Inspector to view and modify GUIDs.
Viewing GUIDs
GUIDs are stored in the directory domain and are not immediately visible in
workgroup Vanager. lo view CUl0s, you must 6rst enable the lnspector in workgroup
Manager. For instructions on using the Inspector, see Open Directory Administration.
WARNING: Although the Inspector allows you to edit GUIDs, it is not recommended.
0oing so destroys existing group memberships and 6le permissions for that user l0.
To view a user or group GUID:
3 Click the globe icon and then choose the domain where the account resides.
administrator.
5 Click the Users, Groups, Computers, or Computer Groups button and select the
account.
You can only view GUIDs for individual accounts.
6 Click the Inspector button under the lock at the far right.
If there is no Inspector button, make sure the Inspector is enabled by choosing
Workgroup Manager > Preferences, and then select Show All Records tab and
inspector.
7 Select the CeneratedUl0 6eld and then click ldit.
8 Click Cancel to make sure you do not change the GUID.
B $ dscl /Search -read /Users/username GeneratedUID
93
Use this chapter to set up, edit, and manage group accounts.
A group account o1ers a simple way to manage a collection of users with similar
needs. You can also create group folders, which provide an easy way for group
members to share 6les with each other.
You can use Workgroup Manager to view, create, edit, and delete group accounts.
To view group accounts in Workgroup Manager, click the Groups button above the
accounts list.
About Group Accounts
A group account stores the identities of users who belong to the group, as well as
information that lets you customize the working environment for members of the
group. when you de6ne preferences for a group, the group is known as a workgroup.
A primary group is the users default group. Primary groups can expedite the validation
performed by the Vac OS \ 6le system when a user accesses a 6le.
How Group Accounts Track Membership
Mac OS X Server uses GUIDs and a combination of the users short name and GID to
determine group membership. Before Mac OS X v10.4, group membership was based
only on a combination of the users short name and GID.
You can now have groups composed of users with all versions of Mac OS X. When you
use Workgroup Manager on Mac OS X Server v10.6 to add a member to a group, you
add both the users short name and GUID, which ensures backward compatibility.
5
Setting Up Group Accounts
Where Group Accounts Are Stored
Group accounts can be stored in any Open Directory domain. A directory domain
can reside on a Mac OS X computer (for example, an Open Directory domain) or it
can reside on a non-Apple server (for example, an LDAP or Active Directory server).
Workgroup Manager can work with accounts stored in any of these directory domains.
Group accounts must be stored in a directory domain accessible from the server that
needs them:
For services provided by a Mac OS X Server PDC or Windows domain member
server, group accounts can be stored in the PDC LDAP directory.
For services provided by an Active Directory domain member, group accounts can
be stored in the Active Directory domain.
For services provided by a Windows standalone server, group accounts can be
stored in the servers local directory domain.
lf a server is con6gured to access multiple directory domains, group accounts can
be stored in any of them.
lor more information about the di1erent kinds of Open 0irectory domains, see Open
Predehned Grou Accounts
The following table describes most group accounts that are created when you install
Mac OS X Server. For a complete list, open Workgroup Manager and choose View >
Show System Users and Groups.
2TGFGPGFITQWRPCOG Group ID Use
admin 80 A group that users with
administrator privileges belong
to.
bin 7 A group that owns all binary
6les.
daemon 1 A group used by system
services.
dialer 68 A group for controlling access to
modems on a server.
kmem 2 A legacy group used to control
access to reading kernel
memory.
mail 6 A group historically used for
access to local UNIX mail.
94 Chapter 5 Setting Up Group Accounts
Chapter 5 Setting Up Group Accounts 95
2TGFGPGFITQWRPCOG Group ID Use
_mysql 74 A group that the MySQL
database server uses for its
processes that handle requests.
network 69 A group that has no speci6c
meaning.
nobody -2 A group used by system
services.
nogroup -1 A group used by system
services.
operator 5 A group that has no speci6c
meaning.
smmsp 25 A group used by sendmail.
sshd 75 A group used for the sshd child
processes that process network
data.
sta1 20 A default group that UNIX users
are traditionally placed.
sys 3 A group that has no speci6c
meaning.
tty 4 A group that owns special
6les such as the device 6le
associated with an SSH or telnet
user.
_unknown 99 A group used when the system
doesnt know about the hard
drive.
utmp 45 A group that controls who
can update the systems list of
logged-in users.
_uucp 66 A group used to control access
to UUCP spool 6les.
wheel 0 A group (in addition to the
admin group) that users with
administrator privileges belong
to. Membership is required for
using the su command.
_www 70 A nonprivileged group that
Apache uses for its processes
that handle requests.
Administering Group Accounts
Workgroup Manager lets you administer group accounts stored in multiple directory
domains.
Creating Group Accounts
To create a group account in a directory domain, you must have directory
administrator privileges.
You can also create group accounts on a non-Apple LDAPv3 server if the server is
con6gured for write access.
To create a group account:
lor information about using 0irectory Utility to con6gure an l0AP connection, see
Open Directory Administration. For information about the group account elements
that may need to be mapped, see the appendix, Importing and Exporting Account
Information.
3 Click the globe icon and choose the domain where you want the group account to
reside.
administrator.
5 Click the Groups button.
6 Click New Group and then specify settings for the group in the panes provided.
ou can also use a preset or an import 6le to create a group. lor details, see "Creating
a Preset for Group Accounts on page 98 and the appendix, Importing and Exporting
Account Information on page 273.
1 Identify an unused group ID by entering the following command to display a list of
assigned group IDs.
$ dscl /LDAPv3/ipaddress -list /Groups PrimaryGroupID | awk {print $2}
| sort -n
Replace ipaddress with the location of your directory domain (the way it appears in
the search path in Directory Access).
After you enter the command, the dscl tool displays a list of assigned IDs similar to
the following output:
-2
0
1
25
78
79
501
Important: In this example, select an ID that isnt on the list and that is greater
than 501.
$ dscl localhost
>
3 Change the current folder to /LDAPv3/ipaddress/Groups by entering the path at the
prompt:
> cd /LDAPv3/ipaddress/Groups
5 Create a group, replacing ohceqtou with the new group accounts short name,
and specify the group ID, replacing 600 with the primary group ID.
> create officegroup PrimaryGroupID 600
6 Review the settings of your group by entering the following command, replacing
ohceqtou with the group accounts short name.
> read officegroup
7 View the settings for your group account.
Settings for your group account appear similar to the following output:
dsAttrTypeNative:cn: officegroup
dsAttrTypeNative:objectClass: posixGroup apple-group extensibleObject top
PrimaryGroupID: 600
RecordName: officegroup
RecordType: dsRecTypeStandard:Groups
8 Quit the dscl tool.
> quit
Creating a Preset for Group Accounts
You can use presets to apply predetermined settings to a new group account.
Presets are stored in the directory domain that youre viewing. If you change directory
domains, the presets you created in the other directory domain are not available.
For instructions on renaming, editing, or deleting group presets, see Renaming
Presets on page 64, Editing Presets on page 64, and Deleting a Preset on page 65.
To create a preset for group accounts:
2 Vake sure the server is con6gured to access the Vac OS \ directory domain or non-
Apple LDAPv3 domain where the preset is used to create accounts.
3 To create a preset using data in an existing group account, open the account; to create
a preset from scratch, create a group account.
4 lill in the 6elds with values you want new groups to inherit and delete values you
dont want to specify in advance.
5 Click Preferences, con6gure settings that you want the preset to de6ne, and then click
Accounts.
After con6guring preference settings for a preset, you must return to the Accounts
settings to save the preset.
6 From the Presets pop-up menu, choose Save Preset, enter a name for the preset,
and then click OK.
Editing Group Account Information
You can use Workgroup Manager to change a group account that resides in an Open
To make changes to a group account:
3 Click the globe icon and choose the domain where the group account resides.
administrator.
5 Click the Groups button and select the group you want to work with.
6 Edit settings for the group in the panes provided.
For details, see Working with Basic Settings for Groups on page 103, Working
with Member Settings for Groups on page 107, and Working with Group Folder
Settings on page 111.
To display group information from the command line:
$ dseditgroup officegroup
Creating Hierarchical Groups
A hierarchical group is a group that is a member of another group, known as a parent
group.
For computers with Mac OS X v10.5 or later, hierarchical groups inherit managed
preferences. Members of a hierarchical group have combined preferences managed by
their chosen workgroup and by parent groups. They can also inherit preferences from
parent groups.
For computers with Mac OS X v10.4 or later, the access permissions of a parent group
are inherited. For example, if you set a parent groups ACL permissions so the parent
group cant write to a folder, the ACL permissions are propagated so that hierarchical
groups also cant write to that folder.
Groups created using Mac OS X Server v10.3 and v10.4 must be upgraded to become
parent or child hierarchical groups and use hierarchical preference management. If you
dont upgrade groups created using Mac OS X Server v10.3, you cant use hierarchical
groups. If you dont upgrade groups created using Mac OS X Server v10.4, you cant
use hierarchical preference management with those groups. For more information,
see Upgrading Legacy Groups on page 102.
To create a hierarchical group:
are con6gured to access the desired directory domain.
3 Click the globe icon and choose the domain where you want the hierarchical group to
reside.
administrator.
5 To create a group, click the Groups button.
6 In the Members pane, click the Add (+) button to open a drawer that lists the users
and groups de6ned in the directory domain you're working with.
Vake sure the group account resides in a directory domain speci6ed in the search
policy of computers the user logs in to.
The drawer lists user and group accounts. Click the Groups button in the drawer to list
group accounts.
7 Drag the group from the drawer to the Members list.
All members of the hierarchical group also become members of the parent group.
8 Click Save.
To create a hierarchical group from the command line:
Enter this: B
$ dseditgroup -o edit [-a childgroup] [-t group] [-u username] [-P
password] [-n /LDAPv3/ipaddress] parentgroup
Parameter Description
childgroup The name of the child group you are adding to
the parent group
username The short name of a user with LDAP directory
service access
password The user password
ipaddress The IP address of your directory server
parentgroup The name of the parent group that the child
group is being added to
To verify a hierarchical group from the command line:
$ dscl localhost
>
prompt:
4 View the members of the group by entering the following (replacing parentgroup with
the group accounts short name):
> read parentgroup
5 View the setting for your group account.
Settings for the group account appear similar to the following output where the group
named parentgroup is shown as nested:
dsAttrTypeNative:apple-group-nestedgroup:1A2B3456-C7D8-9EF1-2345-
678G912H3456
dsAttrTypeNative:cn: parentgroup
NestedGroups:1A2B3456-C7D8-9EF1-2345-678G912H3456
PrimaryGroupID: 700
RecordName: parentgroup
To unnest a group from the command line:
Enter this: B
$ dseditgroup -o edit [-d childgroup] [-t group] [-u username] [-P
password] [-n /LDAPv3/ipaddress] parentgroup
childgroup The name of the child group you are adding to
the parent group
group The type of account you are changing (in this
case, group)
username The short name of a user with LDAP directory
service access
password The user password
ipaddress The IP address of your directory server
parentgroup The name of the parent group that the child
group is being added to
Upgrading Legacy Groups
When you upgrade from Mac OS X Server v10.3, or when you import groups created
using Workgroup Manager v10.3, existing groups cant use hierarchical preference
management unless you 6rst convert them. Upgrading from Vac OS \ Server v10.2 or
importing groups created in Workgroup Manager v10.2 automatically converts groups
during import.
Upgrading legacy groups does not negatively a1ect group members with client
computers running previous versions of Mac OS X.
To convert a legacy group to an upgraded group account:
are con6gured to access the directory domain.
3 Click the globe icon and choose the domain where the group account resides.
administrator.
5 Click the Groups button and select the legacy group you want to upgrade.
6 In the Members pane, click the Upgrade Legacy Group button and then click Save.
Working with Read-Only Groups
You can use Workgroup Manager to review information for group accounts stored in
read-only directory domains. Read-only directory domains include LDAPv2 domains,
l0APv3 domains not con6gured for write access, llS domains, and bS0 con6guration
6les.
To work with read-only groups:
are con6gured to access the directory domain where the account resides.
lor information about using 0irectory Utility to con6gure server connections, see
Open Directory Administration. For information about the group account elements that
need to be mapped, see the appendix, Importing and Exporting Account Information.
3 Click the globe icon and then choose the directory domain where the group account
resides.
4 Use the panes provided to review the group account settings.
Deleting a Group
You can use Workgroup Manager to delete a group account stored in an Open
To delete a group using Workgroup Manager:
2 Select the group account you want to delete.
account resides, click the Groups button, and then select the group.
administrator.
4 Choose Server > Delete Selected Group or click the Delete icon in the toolbar.
$ dseditgroup -o delete -p -n /LDAPv3/ipaddress -u diradmin groupname
Replace ipaddress with the IP address of the DNS name of the LDAPv3 server, diradmin
with the name of the directory administrator, and groupname with the name of the
group you want to delete.
The -p option prompts you for your diradmin password, which is more secure than
putting the password in the command you are sending.
For more information, see the dseditgroup man page.
Working with Basic Settings for Groups
Basic settings for groups include name, ID, picture path, and comments.
Naming a Group
A group has two names: a long name and a short name.
A long group name (for example, English Department Students) is used for display
purposes and contains no more than 255 bytes.
Because long group names support various character sets, the number of characters
for long group names can range from 255 Roman characters to as few as 63
characters (for character sets in which characters occupy up to 4 bytes).
A short group name contains as many as 255 Roman characters. Use only the
following characters in a short group name:
a through z
A through Z
0 through 9
_ (underscore)
- (hyphen)
. (period)
lhe short name (typically eight or fewer characters) is used by Vac OS \ to 6nd
group members' user l0s when determining whether a user can access a 6le as a
result of his or her group membership.
For more information about group membership, see How Group Accounts Track
Membership on page 93.
You can use Workgroup Manager to edit the long or short names of a group account
stored in an Open Directory domain, the local directory domain, or other read/write
directory domain. You can also use Workgroup Manager to review the names in any
directory domain accessible from the server youre using.
To work with group names using Workgroup Manager:
2 Select the group account you want to work with.
To select an account, click the globe icon, choose the directory domain where the
account resides, click the Groups button, and select the group.
administrator.
4 Click basic, then in the lame 6eld (or the Short lame 6eld) review or edit the names
and then click Save.
Before saving a new name, Workgroup Manager checks to ensure that the name is
unique.
Dehnng a Grou |D
A group l0 is a string of ASCll digits that uniquely identi6es the group. lhe maximum
value is 2,147,483,647.
You can use Workgroup Manager to edit the ID for a group account stored in an Open
Directory domain or the local domain, or to review the group ID in any directory
domain accessible from the server youre using. The group ID is associated with group
privileges and permissions.
To work with a group ID using Workgroup Manager:
administrator.
4 Click basic, then in the Croup l0 6eld review or edit the l0 and click Save.
before saving a group l0, workgroup Vanager veri6es that it is unique in the directory
domain youre using.
Choosing a Groups Login Picture
You can quickly change a groups login picture in Workgroup Manager. This picture
represents the group in the workgroup chooser of the login window.
Although you can use an image 6le of any size, you should use an image that is 64x64
pixels in size. If you use a larger image, it is centered and resized to 64x64.
Croup pictures are stored as a path to an image 6le, not as the 6le itself. lhis path must
be accessible by the computers used by the group. For example, if you enter a path
to an image 6le on the desktop, the image 6le must be located on the desktop of all
computers used by the group. lo avoid copying image 6les to all computers, store
image 6les on a server.
To choose a groups login picture:
administrator.
4 In the Basic pane, drag a picture to the picture area in the top right.
when you drag a picture to the picture area, the Picture Path 6eld is updated with the
new location of the picture. You can also change the picture by editing this path.
5 Click Save.
Enabling a Groups Web Services When Connecting to Mac OS X
Server v10.5
Mac OS X Server v10.5 allows groups to easily create a collaborative website. This
website uses calendar, wiki, and blog technology to streamline group communication.
You can also set up a mailing list so that mail sent to the list is sent to all group
members and are archived on the group website.
In Mac OS X Server v10.6, users can set up wikis and blogs while viewing the website.
Because of this, Workgroup Manager supports creation of wikis and blogs when you
connect to Mac OS X Server v10.5, but not when you connect to Mac OS X Server v10.6.
ou can only enable the web calendar and mailing list archive if you 6rst enable the
wiki and blog service.
You can choose who views or edits the website:
Group members only includes all members of the group
Some group members (only available for editing) includes group members who
are given editing privileges
Authenticated users includes anyone who can authenticate with your
organizations directory
Anyone allows everyone, without requiring authentication
ou can provide di1erent levels of website access to di1erent subsets of users. lor
example, you can set up an intranet site where everyone in your organization can view
the site (allow Entire directory to view services), but only group members can edit it
(allow Group members to edit services).
When setting up levels of website access, the users who can edit the website are a
subset of the users who can view it. For example, you cant let anyone edit the site and
allow only group members to view it.
When you create a group, the URL of the group website and the mailing list email
address is based on the short name of the group (shortname@hostname.com). If you
change the groups name after creating it, the URL and mailing list email address do
not change.
The administrator computers search policy must include the server that hosts web
services.
To enable a groups web services:
administrator.
4 Choose a server from the Enable the following services for this group on pop-up
menu.
5 Select the services you want to enable.
You can only select services that are not disabled by your web server.
6 Choose who can view the group website by using the can view these services pop-up
menu.
This option applies to viewing the wiki, blog, calendar, and mailing list archive.
7 Choose who can edit the group website by using the can write to these services pop-
up menu.
This option applies to editing the wiki, blog, and calendar.
8 Click Save.
Working with Member Settings for Groups
In Workgroup Manager, use the Members pane for a group to view, add, or remove
group members.
When a user name in the Members list appears in italics, the group is the users
primary group.
Adding Users or Groups to a Group
when you want multiple users or groups to have the same 6le permissions, or when
you want to apply the same management settings to all users or groups, add the users
or groups to a group.
After assigning a user to a primary group, you dont need to add the user to that
group. lowever, you must speci6cally add users to other groups.
You can use Workgroup Manager to add a user to a group if the user and group
accounts are in an Open Directory domain or the local directory domain. Although
some group information doesnt apply to Windows users, you can also add Windows
users to groups you create.
Mac OS X Server v10.5 and later supports hierarchical groupsgroups composed of
nested groups. By managing preferences for a parent group, child groups also receive
these managed preferences. For more information, see Understanding Hierarchical
Preference Management on page 170.
To add a user to a group using Workgroup Manager:
administrator.
4 In the Members pane, click the Add (+) button to open a drawer that lists the users
and groups de6ned in the directory domain you're working with.
Vake sure the group account resides in a directory domain speci6ed in the search
policy of computers that the user logs in to.
5 Select the user account, drag the user into the list, and then click Save.
$ dscl localhost
>
prompt:
4 Add the user to the group by entering the following command, replacing groupPath
with the groups path relative to the current folder, and userName with the users short
name:
> append groupPath GroupMembership userName
For example, if the groups folder is in the /Groups folder, replace groupPath with the
groups short name. However, if the groups folder is in the /Groups/building1/ folder,
replace groupPath with building1/shortName, where shortName is the groups short
name.
5 Review the settings of the group by entering the following command, replacing
groupShortName with the group accounts short name:
> read groupShortName
6 View the settings for the group account.
Settings for the group account appear similar to the following output:
dsAttrTypeNative:memberUid: mchen ajohnson bmiller
GroupMembership: mchen ajohnson bmiller
Member: mchen ajohnson bmiller
PrimaryGroupID: 600
> quit
Removing Group Members
You can use Workgroup Manager to remove group members if the group account and
its members reside in an Open Directory domain or the local directory domain.
You cant remove a users primary group.
To remove group members:
administrator.
4 In the Members pane, select the members you want to remove from the group, click
the Remove () button, and then click Save.
$ dscl localhost
>
prompt:
4 View the current members of the group by entering the following (replacing
ohceqtou with the group accounts short name):
> read officegroup
Settings for the group account appear similar to the following output, where the
group named officegroup has users mchen, ajohnson, and bmiller as members:
dsAttrTypeNative:MemberUid: mchen ajohnson bmiller
GroupMembers:2B3A4567-E8C9-9EC2-3456-789D123E4567 1B2A3456-E7C8-9EC1-
2345-678D912E3456 8B9A1234-E5C6-7EC8-9123-456D78E9123
GroupMembership: mchen ajohnson bmiller
Member: mchen ajohnson bmiller
PrimaryGroupID: 600
6 Remove the user by entering the following command, replacing ajohnson with the
short name of the user account, ajguid with ajohnsons GUID, and ohceqtou with the
short name of the group account:
> delete officegroup GroupMembership ajohnson
> delete officegroup GroupMembership ajguid
7 Review the new settings of the group:
> read officegroup
Settings for the group account show that the user you removed is no longer a group
member, similar to the following output:
dsAttrTypeNative:MemberUid: mchen bmiller
GroupMembers:2B3A4567-E8C9-9EC2-3456-789D123E4567 8B9A1234-E5C6-7EC8-
9123-456D78E9123
GroupMembership: mchen bmiller
Member: mchen bmiller
PrimaryGroupID: 600
> quit
Working with Group Folder Settings
A group folder o1ers a way to organize and distribute documents and applications to
group members, and gives group members a way to share 6les with each other.
Group folders are not directly linked to workgroup management, but access and
workow management can be improved by combining the use of group folders with
managed preferences for workgroups.
lor example, to set a multimedia lab computer speci6cally for a movie-editing class,
you could set Dock preferences for the movie-editing workgroup to display only
iMovie and the group folder. Because the group folder is in the Dock, it provides an
easily accessible location for students to store and retrieve 6les.
Group folders arent mounted on Windows workstations when group members log
in to the Windows domain. If the group folders share point is shared using SMB, a
Windows user can go to My Network Places (or Network Neighborhood) and access
the contents of the group folder.
Specifying No Group Folder
You can use Workgroup Manager to change a group account with a group folder to
one that has no group folder. By default, a new group has no group folder.
To specify no group folder:
administrator.
4 Click the Groups button and select a group.
5 Click Group Folder; then in the list, select (None) and click Save.
Creating a Group Folder
You can create a group folder for a group in any existing share point, or you can create
the group folder in the /Croups folder (a prede6ned share point).
In Workgroup Manager, you can also create group folders that dont reside
immediately below a share point. For example, you can organize group folders into
several subfolders under a share point that you de6ne.
If Groups is the share point, you can place group folders for students in
/Groups/StudentGroups and group folders for teachers in /Groups/TeacherGroups.
The full path to a group folder for second-grade students might be
/Groups/StudentGroups/SecondGrade.
Group folders are hosted on share points. For instructions about creating share points,
see Setting Up a Share Point on page 127.
After setting up a group folder, you can automate a group members access to the
group folder when the user logs in by:
Setting up Dock preferences to make the group folder visible in the Dock.
For instructions, see Providing Easy Access to Group Folders on page 187.
Setting up login preferences so that users can click Computer in the Finder to
see the group folder share point and the group folders in it. For instructions,
see Providing Easy Access to the Group Share Point on page 213.
when setting up these preferences, make sure the group is de6ned in a shared domain
in the search policy of the group members computer. For instructions on setting a
computers search policy, see Open Directory Administration.
If you dont automate group folder access, group members can access the group folder
using the Connect to Server command in the Go menu in the Finder to navigate to
the server where the group folder resides.
To set up a group folder in the /Groups folder or on another existing share point:
To select an account, connect to the server where the account resides, click the globe
icon, choose the directory domain where the group account is stored, click the Groups
button, and then select the group.
administrator.
4 Click Group Folder.
5 To add a share point to the list, click the Add (+) button and enter the requested
information.
ln the URl 6eld, enter the full URl to the share point where you want the group folder
to reside.
For example, to identify an AFP share point named SchoolGroups
on a server whose DNS name is myserver.example.com, enter
afp://myserver.example.com/SchoolGroups.
If you are not using DNS, replace the DNS name of the server hosting the group folder
with the servers IP address: afp://192.168.2.1/SchoolGroups.
ln the Path 6eld, enter the path from the share point to the group folder, including the
group folder but excluding the share point. Do not put a slash at the beginning or at
the end of the path.
For example, if the share point is SchoolGroups and the full path to the group folder is
SchoolGroups/StudentGroups/SecondGrade, enter StudentGroups/SecondGrade in the
Path 6eld.
Note: Con6guring a group folder share point with a network mount record does not
cause the group folder to mount when a group member logs in. You can provide easy
access to a group folder by managing Dock or login preferences for the group.
6 ln the Owner lame 6elds, enter the short name and long name of the user you
want to assign as the owner of the group folder so the user can act as group folder
administrator.
To choose an owner from a list of users in the current directory domain, click the
browse (...) button. Click the globe icon in the drawer to choose a di1erent directory
domain.
The group folder owner is given read/write access to the group folder.
7 Click Save.
8 To create the folder, use the ssh tool to connect to the server hosting the share point
and then enter the CreateGroupFolder command in Terminal.
You must be the root user to use the command. For more information about ssh,
enter man ssh in Terminal to view the man page. For more information about
CreateGroupFolder, enter man CreateGroupFolder in Terminal to view the man
page.
The group folder is named using the short name of the group it is associated with.
$ sudo /usr/bin/CreateGroupFolder
For more information, see the CreateGroupFolder man page.
Designating a Group Folder for Use by Multiple Groups
To permit a group folder to be accessed by multiple groups, identify the folder for
each group separately.
Usually, a single group has read/write permissions for a group folder. To allow multiple
groups to access the same group folder, use Server Admin to add an ACE for every
group to the group folders ACL.
For more information about using Server Admin to apply ACL permissions to folders,
see File Server Administration.
1o conhgure more than one grou to use the same grou fo|der:
2 Select the 6rst group account that will use the folder.
icon, choose the directory domain where the group account is stored, click the Groups
button, and then select the group.
3 Click Group Folder, select the folder you want the group to use, and then click Save.
4 In Server Admin, add an ACE entry that gives the group read/write permissions for the
group folder.
5 Repeat this process for each group that you want to use the same group folder.
115
Use this chapter to set up and manage individual computers
and groups of computers.
To manage an individual computer, you must create a computer account. To manage
a group of computers, you must create a computer group composed of computer
accounts or of other computer groups.
Use Workgroup Manager to view, create, edit, and delete computers and computer
groups.
To view computers in Workgroup Manager, click the Computers button above the
accounts list. To view computer groups in Workgroup Manager, click the Computer
Groups button above the accounts list.
About Computer Accounts
A computer account stores data that allows Mac OS X Server to identify and manage
individual computers. lo create computer groups, you must 6rst create computer
accounts for each individual computer.
Before setting up a computer, you need the computers name and address. You usually
use the computer name speci6ed in a computer's Sharing preferences, or you can use
a descriptive name that you 6nd more suitable.
A computers address must be the Ethernet address, which is unique to each
computer. (A computers Ethernet address, or Ethernet ID, is also known as its MAC
address.) When you browse for a computer, Workgroup Manager enters the computers
name and lthernet address for you. A client computer uses this data to 6nd preference
information when a user logs in.
For Windows computers, you must know the NetBIOS name of each Windows client
computer. lhis name is entered in the name 6eld. ou don't need to know the lthernet
address of Windows client computers.
6
Setting Up Computers and
Computer Groups
When a computer starts up, Mac OS X tries to match the computers Ethernet address
with a computer account. If a matching computer account is found, the computer
uses the managed preferences for that computer account and the computer groups
it belongs to. If no matching computer account is found, the computer uses the
managed preferences for the Guest Computer account.
Creating Computer Accounts
To create a computer account in a directory domain, you must have administrator
privileges.
When you enter the Ethernet ID, it must be entered correctly so the DHCP server can
6nd the computer. lt must follow these rules.
It must be entered using hexadecimal numbers. Hexadecimal numbers include
digits 09 and letters af.
Bytes must be separated by colons. Bytes are comprised of two hexadecimal
numbers.
All bytes with a single hexadecimal number should have a leading zero. For
example, the following Ethernet ID is invalid because the single hexadecimal
numbers do not have leading zeros:
7:8:9:a:b:c
However, the following Ethernet ID is valid because the hexadecimal numbers have
leading zeros:
07:08:09:0a:0b:0c
The letters af must be entered in lower case.
To create a computer account:
2 Click the globe icon and choose the directory domain where you want to store the
computer account.
administrator.
4 Click the Computers button.
5 Choose Server > New Computer (or click New Computer in the toolbar) and then enter
long and short names for the computer.
6 Click General.
7 lo add a comment, in the Comment 6eld, enter a comment.
Comments and keywords make it easier to search for the computer.
8 To associate keywords with the computer, click the Add (+) button next to the
keywords list.
116 Chapter 6 Setting Up Computers and Computer Groups
Chapter 6 Setting Up Computers and Computer Groups 117
If keywords that you want to associate arent listed in the master keyword list, click Edit
Keywords, click the Add (+) button, enter a name for the keyword, and click OK.
Select the keywords you want to associate with the computer and click OK.
9 lnter the hardware UUl0 in the lardware UUl0 6eld.
lo 6nd the hardware UUl0.
On client computers with Vac OS \ v10.6 or later, open System Pro6ler (located in
/Utilities), view Hardware, and review the Hardware UUID entry.
On client computers with Vac OS \ v10.5.7 or later, open System Pro6ler and choose
lile > Save. After saving the System Pro6ler log 6le, enter the following in lerminal.
grep IOPlatformUUID system_profiler_log.spx
Replace system_toh|et_|oq with the path and name of the System Pro6ler log 6le.
If your client computer is running Mac OS X v10.5.6 or earlier, update it to Mac OS X
v10.5.7 or later.
If your client computers run Mac OS X v10.4, dont enter a hardware UUID.
10 Click Network and enter the Ethernet ID for the computer and its IP address (if the
computer receives a static IP).
11 Click Save.
Working with Guest Computers
If a computer connects to your directory domain, and the computer doesnt have any
managed settings in its record or computer groups that its record is in, that computer
is treated as a guest computer. If there is no computer record, the computer is treated
as a guest computer. Settings for the guest computer account apply to these unknown
computers.
lo apply speci6c management settings to a computer, don't use the guest computer
account to manage it. Create a computer account for it.
Note: You cant change the name of a guest computer. Because the Guest Computer
account is associated with all unknown computers, you cant enter network settings to
identify the computer.
To set up the guest computer account:
2 Click the globe icon and choose the directory domain that contains the guest
computer account.
administrator.
4 Click the Computers button (on the left).
5 Choose Server > Create Guest Computer.
6 Select the Guest Computer account.
7 Click General, enter a comment or add keywords, and then click Save.
Working with Windows Computers
Every Windows computer that joins the Windows domain of a Mac OS X Server
primary doman controller (P0C) must have a computer account, which identi6es the
Windows computer by its NetBIOS name.
The computer account for a Windows computer also contains information for
authenticating the computer as a trusted workstation in the Windows domain.
Mac OS X Server creates this information in the form of a UID and a GID.
You can add Windows computer accounts to computer groups, but Windows
computers dont receive managed preferences.
Important: Dont create computer accounts for Windows 2000 or Windows XP
computers. If you do, they might not be usable for domain login. Instead, use the
Windows software on these computers to join them to the Windows domain.
For information, see Open Directory Administration.
About Computer Groups
A computer group comprises computers with the same preference settings. You can
use Workgroup Manager create and modify computer groups.
To edit computer groups or computer group preferences, you must have directory
administrator privileges. For instructions on assigning administrator privileges for a
directory domain, see Giving a User Full Administrative Capabilities on page 75.
D6erences 8etween Comuter Grous and Comuter Lsts
Before Mac OS X Server v10.5, computer lists were used to manage computers.
Computer lists and computer groups function similarly. By managing a computer list
or a computer group, you are managing all individual computers within them.
lhere are two ma|or di1erences between computer groups and computer lists.
Computer groups allow you to include other computer groups. You can then
manage hierarchical groups by managing the parent computer group.
A computer can be a member of multiple computer groups. However, a computer
can only be a member of a single computer list.
Ideally, all members of a computer group are either computers running Mac OS X v10.5
or later, or other computer groups. Computer groups that include computers running
Mac OS X v10.4 or earlier act like any other computer group of computers running
Mac OS X v10.5 or laterthat is, computers can belong to multiple computer groups,
and you can form hierarchical groups.
The computer group acts like a computer list for computers running earlier versions of
Mac OS X. Computers can only belong to one list, and nesting the computer group has
no e1ect on the computer.
Administering Computer Groups
You can use Workgroup Manager to administer computer groups stored in various
directory domains.
Creating a Computer Group
When you create a computer group, keep in mind the following:
A computer group is a group of computers that have the same preference settings
and are available to the same users and groups.
You can add up to 2000 computers to a computer group.
You can create hierarchical groups to manage computers with Mac OS X v10.5 or
later. Hierarchical groups inherit managed preferences. Computers in a hierarchical
group have combined preferences managed by their computer group and by parent
computer groups. They can also inherit preferences from parent computer groups.
To set up a computer group:
computer group.
administrator.
4 Click the Computer Groups button (on the left).
5 To use a preset, choose one from the Presets pop-up menu.
6 Choose Server > New Computer Group (or click New Computer Group in the toolbar),
and then enter a name for the computer group.
7 Click Basic.
8 Optionally, add a comment.
Comments are useful for providing information about a computers location,
con6guration (for example, a computer set up for individuals with special needs), or
attached peripherals. ou could also use the comment for identi6cation information,
such as the computers model or serial number.
9 Click Members, click the Add (+) button, and then drag computers or computer groups
listed in the drawer to add them to the computer group.
You can also click the Browse (...) button, select a computer, and click Add.
10 Click Save.
After setting up a computer group, you can manage preferences for it. For
more information about using managed preferences, see Customizing the User
Experience on page 160, and Chapter 10, Managing Preferences.
Creating a Preset for Computer Groups
You can select settings for a computer group and save them as a preset. Presets work
like templates, allowing you to apply preselected settings and information to new
computer groups.
Using presets, you can easily set up multiple computer groups that use similar settings.
However, you can only use presets when creating a computer group. You cant use a
preset to change a computer group.
To set up a preset for computer groups:
2 Click the globe icon and choose the directory domain where you want to create a
computer group using presets.
administrator.
4 Click the Computer Groups button (on the left).
5 Create a computer group by clicking New Computer Group or by selecting an existing
computer group (on the left).
6 Fill in the information in the Basic and Members panes.
7 From the Presets pop-up menu, choose Save Preset.
After creating a preset, you can change its settings, change its name, or delete it:
To do this Do this
Change the presets settings Create a computer group based on the preset
and change the computer group settings. Save
the preset using the same name as the old
preset.
When you change a preset, existing accounts that
were created with it are not updated to reect
the changes.
Change the name of a preset Choose Rename Preset from the Presets pop-up
menu, choose the preset, enter a new name, and
then click OK.
Delete a preset Choose Delete Preset from the Presets pop-up
menu, select the preset, and then click Delete.
Using a Computer Group Preset
When you create a computer group, you can choose any preset from the Presets pop-
up menu to apply initial settings. You can further modify computer group settings
before you save the list.
When you save the computer group, you cant use the Preset menu again for that list
(for example, you can't apply a di1erent preset to the group).
To use a preset for computer groups:
computer group.
administrator.
4 Click the Computer Groups button (on the left) and then click Basic.
6 Choose Server > New Computer Group (or click New Computer Group in the toolbar).
7 Add or update settings as needed and then click Save.
Adding Computers or Computer Groups to a Computer Group
You can easily add computers and computer groups to an existing computer group
using Workgroup Manager.
Hierarchical computer groups are supported in Mac OS X Server v10.5 or later. If you
add computer groups containing client computers running Mac OS X v10.4 or earlier,
those clients dont receive managed preferences from parent computer groups.
To add computers or computer groups to a computer group:
2 Select the computer group.
To select the computer group, click the globe icon, choose the directory domain that
contains the computer group, click the Computer Groups button, and then select the
computer group.
administrator.
4 Click Members, click the Add (+) button, and then drag computers or computer groups
from the drawer to the list.
You can also click the Browse (...) button, select a computer, and then click Add.
Continue adding computers and computer groups until the list is complete.
5 Click Save.
Removing Computers and Computer Groups from a Computer Group
If you remove a computer from a computer group, you can still manage it by
managing its computer account or by adding it to another computer group.
To remove a computer or computer groups from a computer group:
2 Select the computer group the computer belongs to.
contains the computer group you want to modify, click the Computer Groups button,
and then select the list.
administrator.
4 In the Members pane, select one or more computers or computer groups.
5 Click the Remove () button and then click Save.
Deleting a Computer Group
If you no longer need a computer group, you can use Workgroup Manager to delete it.
To delete a computer group:
2 Select the computer group.
contains the computer group you want to delete, click the Computer Groups button,
and then select the list.
administrator.
4 Choose Server > Delete Selected Computer Group, or click Delete in the toolbar and
then click Delete.
Upgrading Computer Lists to Computer Groups
Computer lists are groups of computers created in Mac OS X Server v10.4 or earlier.
Computer lists can only include computers, not other computer lists. Computer groups
can include computers and hierarchical computer groups. You can hierarchically
manage preferences for computer groups.
Computer groups can include computers running earlier versions of Mac OS X. These
computers dont receive hierarchical preference management.
To upgrade computer lists to computer groups:
1 In Workgroup Manager, click Accounts, click the Computer Groups button, and then
select a computer list.
2 In the Basic pane, click Upgrade Computer List to Group.
124
Use this chapter to set up and manage home folders.
Mac OS X uses the home foldera folder for a users personal useto store the users
application preferences and personal 6les, like documents and music.
To set up share points that host home folders, you can use Server Admin. After setting
up share points, you can then use Workgroup Manager to set up home folders on the
share points.
About Home Folders
You can set up Mac OS X home folders so they can be accessed by Apple Filing
Protocol (AFP) or Network File System (NFS).
To set up a home folder for a user in Workgroup Manager, use the Home pane when
viewing a users account.
ou can also import user home folder settings from a 6le. lor an explanation of
how to work with import 6les, see the appendix, "Importing and Exporting Account
Information.
A users home folder doesnt need to be stored on the same server as the directory
domain containing the users account. In fact, distributing directory domains and
home folders across servers can help balance the workload. For more information, see
Distributing Home Folders Across Multiple Servers on page 126.
The home folder you designate in the Home pane can be used when logging in from
a Windows workstation or a Mac OS X computer. This can be helpful for a user whose
account resides on a server that is a Windows primary domain controller (PDC).
7
Setting Up Home Folders
Chapter 7 Setting Up Home Folders 125
WARNING: If the absolute path from the client to the network home folder on the
server contains spaces or more than 89 characters, some types of clients wont
connect. For example, a client using automount with an LDAP-based AFP home
folder might not be able to access its home folder. The / character is considered a
character.
There are additional limitations on the maximum path length, depending on the
version of Mac OS X used by clients. For more information, see the Apple Service &
Support website article, Avoid spaces and long names in network home directory
name, path, at support.apple.com/kb/HT2799.
Hosting Home Folders for Mac OS X Clients
To host home folders for Mac OS X clients, use AFP or NFS. If you are hosting only
Mac OS X clients, use AFP. If you are hosting Mac OS X and UNIX clients, use NFS.
The preferred protocol is AFP because it provides authentication-level access security.
A user must log in with a valid name and password to access 6les.
llS 6le access is based not on user authentication, but on the user l0 and the client
IP address, so it is generally less secure than AFP. Use NFS only if you need to provide
home folders for a large number of users who use UNIX workstations.
Hosting Home Folders for Other Clients
To host home folders for Windows clients, use SMB. To optimally handle both Mac OS X
and Windows clients, you could use both AFP (for Mac OS X clients) and SMB (for
Windows clients).
SMB is a protocol used by Windows to access share points. You can set up a share
point for SVb access only, so that windows users have a network location for 6les that
cant be used on other platforms. Like AFP, SMB also requires authentication with a
valid name and password to access 6les.
ln addition to having home folders, windows users also have roaming pro6les. with
roaming pro6les, each user has the same pro6le when he or she logs in to the domain
from any Windows workstation on the network.
A roaming pro6le stores a windows user's preference settings (screensaver, colors,
backgrounds, event sounds, and so on), favorites, My Documents folder, and more, in
a share point on a Vac OS \ Server. by default, a user's roaming pro6le is stored in a
predetermined folder on the PDC, and backup domain controllers (BDCs) have an up-
to-date copy of this folder.
The default share point for Windows home folders is the same as the share point for
Vac OS \ home folders. lhe default share point for user pro6les is the /Users/Pro6les/
folder on the PDC and BDC servers. (This SMB share point is not shown in Workgroup
Vanager.) ou can set up alternate SVb share points for home folders and user pro6les
on the PDC server or on domain member servers.
Distributing Home Folders Across Multiple Servers
The following illustration shows one Mac OS X Server computer storing user accounts,
and two other Mac OS X Server computers storing AFP home folders.
Home folders A through M
Mac OS X Server
Home folders N through Z
User accounts
When a user logs in, he or she is authenticated using an account stored in a shared
directory domain on the accounts server. The location of the users home folder (stored
in the account) is used to mount the home folder, which resides on one of the two
home folder servers.
Here are the steps you could use to set up this scenario for AFP home folders:
Step 1: Create a shared domain for user accounts on the accounts server Create a
shared LDAP directory domain by setting up an Open Directory master, as described in
Open Directory Administration.
Step 2: Set up an automountable share point for home folders on each home folder
server For information about how to set up automountable share points, see Setting
Up an Automountable AFP Share Point for Home Folders on page 128.
Step 3: Create the user accounts in the shared domain on the accounts server For
information about specifying which share point is used for a users home folder, see
Administering Home Folders on page 132.
126 Chapter 7 Setting Up Home Folders
Step 4: Set up the directory services of the client computers so their search policy
includes the shared directory domain on the accounts server For information about
con6guring search policies, see Open Directory Administration.
When a user restarts his or her computer and logs in using the account in the shared
domain, the home folder is created automatically (if it hasnt already been created) on
the server, and is visible on the users computer.
Administering Share Points
A share point is a hard disk (or hard disk partition), disc media, or folder that contains
6les you want users to share. ou can use share points to host home folders.
Setting Up a Share Point
You can use Server Admin to set up share points and then use the share points to
host local home folders. Or you can mount the share point so it hosts network home
folders.
To set up a share point:
1 Open Server Admin and connect to the server where you want to host the share point.
To connect to the server, choose Server > Connect, enter the server address in the
Address 6eld, and then authenticate as a server administrator.
If youre already connected, youll see Disconnect (instead of Connect) in the Server
menu.
2 Select the server and click File Sharing.
3 Click Volumes, then display folders within volumes by clicking Browse.
4 Select the volume or folder that will become a share point.
To create a folder, select a parent folder or volume and click New Folder, enter the
name of the folder, and click Create.
5 In Permissions, select entries in the list, click the Edit (pencil) button to change their
name or permissions, and change the settings as follows:
UNIX Class Name Permission
Owner (single silhouette) admin Read and Write
Group (several silhouettes) admin Read
Others (globe) Others Read
6 Click Share and then click Save.
Setting Up an Automountable AFP Share Point for Home Folders
You can use Server Admin to set up an AFP share point for home folders.
Home folders for user accounts stored in shared directory domains (such as an Open
Directory domain) can reside in any AFP share point that the users computer can
access. This share point must be automountablethat is, it must have a network
mount record in the directory domain where the user account resides.
Using an automountable share point ensures that the home folder appears in
/letwork/Servers when the user logs in to a Vac OS \ computer con6gured to access
the shared domain.
Users can access home folders on any automountable share point with guest access
enabled.
To set up an automountable AFP share point for home folders:
1 If you do not have a share point to host home folders, create one.
For instructions, see Setting Up a Share Point on page 127.
2 Open Server Admin and connect to the server that hosts the share point.
Address 6eld, and authenticate as a server administrator.
menu.
3 To view a list of available services, use the disclosure triangle next to your server.
If Server Admin doesnt list the AFP service, click the Add (+) button, choose Add
Service, select AFP, and then click Save.
4 Select the AFP service and click Settings.
5 In Access, select Enable Guest access and click Save; then if AFP is not running, click
Start AFP.
For more information about administering AFP service, see File Server Administration.
7 Click Share Points and then select the share point.
8 In Share Point, select Enable Automount.
A con6guration dialog appears. lf not, click ldit and continue.
9 Choose your directory domain from the Directory pop-up menu, choose AFP from the
Protocol pop-up menu, select Use for User home folders, and click OK.
10 In the dialog that appears, authenticate as the directory administrator and then click
OK.
11 Click Protocol Options.
12 In AFP, select Share this item using AFP and Allow AFP guest access.
When you enable guest access, it is enabled for all home folders in the share point.
By default, guests can only access /Public and /Sites folders in home folders. When a
guest browses the home folder server, they can see who has home folders on that
server but they are restricted to opening guest-access-enabled folders.
Guests can also use ~user-short-name/Public to access a users Public folder.
13 To prevent SMB access to the share point, in SMB, deselect Share this item using SMB.
14 To prevent FTP access to the share point, in FTP, deselect Share this item using FTP.
15 To prevent NFS access to the share point, in NFS, deselect Export this item and its
contents to.
16 Click OK to close the Protocol Options dialog and then click Save.
You can also set up a share point using the sharing command in Terminal. For more
information, see its man page.
Setting Up an Automountable NFS Share Point for Home Folders
Although AFP is the preferred protocol for accessing home folders (because of the
security it o1ers), you can use Server Admin to set up a network llS share point for
home folders.
llS share points can be used for home folders of users de6ned in shared directory
domains, such as an Open Directory domain or an Active Directory domain.
The NFS share point must be automountablethat is, it must have a network mount
record in the directory domain where the user account resides.
An automountable share point ensures that the computer can locate the NFS
share point and home folder. It also makes the share points server visible in
/letwork/Servers when the user logs in to a Vac OS \ computer con6gured to access
the shared domain.
To set up an automountable NFS share point for home folders:
Address 6eld, and then authenticate as a server administrator.
menu.
If Server Admin doesnt list the NFS service, click the Add (+) button, choose Add
Service, select NFS, and then click Save.
4 Select the NFS service, then if NFS is not running, click Start NFS.
For more information about administering NFS service, see File Server Administration.
6 Click Share Points and then select the share point.
7 In Share Point, select Enable Automount and then click Edit.
8 Choose your directory domain from the Directory pop-up menu, choose NFS from the
Protocol pop-up menu, select Use for User home folders, and click OK.
9 In the dialog that appears, authenticate as the directory administrator and then click
OK.
10 Click Protocol Options.
11 In NFS, select Export this item and its contents to and choose Client List.
12 Add client computers that you want to have access to the share point.
Click the Add (+) button and enter the IP address or host name of a client you want to
add to the computer group.
Click the Remove () button to remove the selected computer from the list.
13 In the Mapping pop-up menu, choose Root to Nobody.
14 In the Minimum Security pop-up menu, choose the minimum level of authentication
security required with the computers.
If your computers cant authenticate with this level of security, they cant use NFS share
points.
15 To prevent AFP access to the share point, in AFP, deselect Share this item using AFP.
16 To prevent SMB access to the share point, in SMB, deselect Share this item using SMB.
Setting Up an SMB Share Point
You can use Server Admin to:
Enable or disable access to a share point that uses SMB
Change the share point name that SMB clients see
Choose whether guest access and opportunistic locking is allowed
Set the default permissions for new 6les and folders in the share point
SMB share points cant be used for Mac OS X home folders but they can be used for
Windows home folders.
Note: Dont use a slash (/) in the name of a folder or volume you plan to share. Users
trying to access the share point might have trouble seeing it.
To create an SMB share point and set permissions:
Address 6eld, and authenticate as a server administrator.
menu.
If Server Admin doesnt list the SMB service, click the Add (+) button, choose Add
Service, select SMB, and then click Save.
4 Select the SMB service.
5 In General, select Standalone Server from the Role pop-up menu.
6 In Access, select Allow Guest access.
7 Click Save and then click Start SMB.
If SMB is already running, the Start SMB button is replaced by the Stop SMB button.
9 Select the share point.
10 In Share Point, click Protocol Options.
11 In SMB, select Share this item using SMB.
12 To allow unregistered users access to the share point, select Allow SMB guest access.
For greater security, dont select this item.
13 To change the name that clients see when they browse for and connect to the share
point using SVb, enter a new name in the "Custom SVb name' 6eld.
Changing the custom SVb name doesn't a1ect the name of the share point itself, only
the name that SMB clients see.
14 Select the type of locking for this share point:
lo allow clients to use opportunistic 6le locking, select "lnable oplocks.'
Important: Do not enable oplocks for a share point thats using a protocol other
than SMB.
For more information on oplocks, see File Server Administration.
lo set standard locks on server 6les, select "lnable strict locking.'
15 Choose a method for assigning default Ull\ access permissions for new 6les and
folders in the share point:
To set new items to adopt permissions of the enclosing item, select Inherit
permissions from parent.
lo assign speci6c permissions, select "Assign as follows' and use the Owner, Croup,
and Everyone pop-up menus.
16 To prevent AFP access to the share point, in AFP, deselect Share this item using AFP.
17 To prevent NFS access to the share point, in NFS, deselect Export this item and its
contents to.
Administering Home Folders
You can use Workgroup Manager to assign a home folder location to user accounts.
To assign a home folder location, you must create a share point. For instructions on
creating share points, see Setting Up a Share Point on page 127.
Specifying No Home Folder
You can use Workgroup Manager to change a user account that has a home folder to
one that has none. By default, new users have no home folder. When users do not have
home folders, they can't save 6les locally.
Important: Portable home directories require that you specify a network home folder.
1o dehne no home fo|der:
2 Open the directory domain where the user account resides and authenticate as an
administrator of the domain.
To open a directory domain, click the globe icon and choose from the pop-up menu.
To authenticate, click the lock.
3 Click the Users button and select user accounts.
4 Click Home and select (None) from the list.
5 Click Save.
Creating a Home Folder for a Local User
ou can use workgroup Vanager to de6ne home folders for users whose accounts are
stored in a servers local directory domain.
You might want to use local user accounts on standalone servers (servers not
accessible through a network) and for administrator accounts on a server. These
accounts are meant to be used by those logging in to the server locally. They are not
meant to be used by network users.
Home folders for local users should reside in share points on the server where the
users accounts reside. These share points do not need to be automountable (that is,
they do not require a network mount record).
A home folder has the same name as the user's 6rst short name.
To create a home folder for a local user:
1 If you dont have a share point, create one.
2 In Workgroup Manager, click Accounts and select the user account you want to work
with.
To select a local user account, click the globe icon, choose the local directory domain,
click the Users button, and then select the user account in the accounts list.
3 Click the lock and authenticate as an administrator of the local directory domain.
4 Click Home to set up the selected users home folder.
5 If the folder you want to use is a share point, select it.
The list displays all share points on the server you are connected to.
6 If the folder isnt a share point, click the Add (+) button; then, in the dialog, enter the
path to the folder in the lull Path 6eld (leaving the other two 6elds blank) and click OK.
For example, to use the local /Users folder, enter:
/Users/usershortname
Replace usershortname with the short name of the user.
Dont use a terminating slash.
7 Optionally, enter a disk quota and specify megabytes (MB) or gigabytes (GB).
8 Click Create Home Now and then click Save.
If you do not click Create Home Now before clicking Save, the home folder is created
the next time the user logs in remotely. However, clients can only connect to servers
hosting share points in the local domain.
For instructions on setting up a share point for Mac OS X clients, see Creating a
Network Home Folder on page 134.
To create a home folder for a user: B
$ sudo createhomedir -u uid
In addition to the uid, you can also use the users short name.
To create a home folder for users in the local domain: B
$ sudo createhomedir [(-a|-l|-n domain)] -u uid
You can also create a users home folder using the serversetup tool.
To create a home folder for a user: B
$ sudo /System/Library/ServerSetup/serversetup -createHomedir uid
The command displays a 1 if the user ID you specify doesnt exist.
For more information, see the createhomedir man page.
In all cases, home folders are created on the server where you run the tool.
Creating a Network Home Folder
In Workgroup Manager, you can set up a network home folder for a user account
stored in a shared directory domain.
A users network home folder can reside in any AFP or NFS share point that the users
computer can access.
The share point must be automountablethat is, it must have a network mount
record in the directory domain. An automountable share point ensures that the
client computer can locate the share point and the home folder. It also makes the
share points server visible in /Network/Servers when the user logs in to a Mac OS X
computer con6gured to access the shared domain.
You can use Workgroup Manager to create a network home folder for a user whose
account is stored in an Open Directory domain or another read/write directory domain
accessible from the server you are using. You can also use Workgroup Manager to
review home folder information in any accessible read-only directory domain.
To create a network home folder for AFP or NFS share points:
1 Make sure that the share point exists on the server where you want the home folder
to reside and that the share point has a network mount record con6gured for home
folders.
For instructions, see Setting Up an Automountable AFP Share Point for Home
Folders on page 128, or Setting Up an Automountable NFS Share Point for Home
Folders on page 129.
2 In Workgroup Manager, click Accounts and select the user account you want to work
with.
icon, choose the directory domain where the user account is stored, click the Users
button, and then select the user account in the accounts list.
administrator.
4 Click Home; then in the share points list select the share point you want to use.
The list displays automountable network-visible share points in the search policy
of the server you are connected to, as well as custom home folder locations in the
directory domain.
If the share point you want to select is not listed, try clicking Refresh. If the share point
still does not appear, it might not be automountable.
5 Set up the share point to have a network mount record con6gured for home folders as
described in step 1, or create a custom home folder location as described in Creating
a Custom Location for Home Folders on page 136.
For AFP share points, if you do not click Create Home Now before clicking Save, the
home folder is created the next time the user logs in remotely. For NFS share points,
you are required to click Create Home Now before clicking Save.
lhe home folder has the same name as the user's 6rst short name.
8 If the home folder is in a new NFS share point, make sure the user restarts his or her
computer so the share point is visible.
When the user logs in using SSH to obtain command-line access to the server, the
users home folder is mounted.
You can also create a network home folder using the createhomedir command in
Terminal. For more information, see Creating a Home Folder for a Local User on
page 133.
Creating a Custom Location for Home Folders
The users home folder does not need to reside in the share point folder. For example,
you can organize home folder locations by creating several subfolders in a share
point. If /Homes is the share point folder, you can place teacher home folders in
/Homes/Teachers and student home folders in /Homes/Students.
ou can use workgroup Vanager to de6ne a custom location for the home folder
of a user whose account is stored in a servers local directory domain or in a shared
directory domain. Shared directory domains can be an Open Directory domain or
another read/write directory domain, and must be accessible from the server that you
are using.
lo create a custom location for home folders, your share point must be con6gured
correctly.
The share point for a local user accounts home folder should reside in an AFP share
point on the server where the user account resides. This share point does not need
to be automountablethat is, it does not require a network mount record in the
directory domain.
The share point for the home folder of a user account in a shared directory domain
can reside in any share point that the users computer can access. This share point
must be automountable. Additionally, any NFS share point used for home folders must
also be automountable.
For instructions, see Setting Up an Automountable AFP Share Point for Home
Folders on page 128, or Setting Up an Automountable NFS Share Point for Home
Important: The following procedure requires Mac OS X Server v10.4.3 or later.
To create a custom home folder using Workgroup Manager:
1 Vake sure the share point exists and is con6gured correctly.
2 To have the home folder reside beneath a folder under the share point, use Workgroup
Manager or the Finder to create all folders in the path between the share point and
where the home folder resides.
3 In Workgroup Manager, click Accounts and then select the user account you want to
work with.
button, and then select the user account.
administrator.
5 Click Home.
6 Click the Add (+) button to add a custom home folder location or select a location and
click the Duplicate (copy icon) button to copy an existing location.
7 ln the Vac OS \ Server/Share Point URl 6eld, enter the full URl to an existing
automountable AFP share point where you want the home folder to reside or leave
this 6eld blank for an llS share point.
For example, if the AFP share point is /Homes and you are using DNS, you might
enter afp://server.example.com/Homes. If you are not using DNS, replace the
DNS name of the server hosting the home folder with the servers IP address:
afp://192.168.2.1/Homes. Dont put a slash (/) at the end of the URL.
8 ln the Path to lome lolder 6eld, enter the path from the AlP share point to the home
folder, including the home folder but excluding the share point.
lor an llS share point, leave this 6eld blank.
For example, to create a home folder for a user named Smith, in a custom location of
/Homes/Teachers/SecondGrade/, enter Teachers/SecondGrade/Smith. Make sure the
custom location folder exists.
Do not put a slash (/) at the beginning or the end of the path.
9 ln the lull Path 6eld, enter the full path to the home folder, including the home folder
itself, in this format:
[/Network/Servers/servers-host-name/][Volumes/[drive/]volume/]share-point/path
The entries in brackets ([ ]) are optional. Include them only if they apply to the
share point location. If the share point is for local user accounts, do not include
/Network/Servers/servers-host-name.
Replace the following elements:
Element Do this
servers-host-name Replace this with the AFP servers host name.
drive If the share point is stored on a server with
multiple storage devices, replace this with the
name of the storage device.
volume If the share point is stored on a server with
multiple volumes, replace this with the name of
the volume storing the share point.
share-point Replace this with the name of the share point.
path Replace this with the path you entered in the
previous step.
Use an initial slash (/) but no terminating slash.
For example, the following is a Full Path entry for a custom home folder for local users:
/Homes/Teachers/SecondGrade/Smith
The following is a Home entry for a custom home folder in the Hard-Drive volume
stored in a server located at server.example.com:
/Network/Servers/server.example.com/Volumes/Hard-Drive/Homes/Teachers/
SecondGrade/Smith
If you used a volume named HomeFolders in an external drive named external-HD as a
location for a custom home folder, the Full Path entry looks like this:
/Network/Servers/server.example.com/Volumes/external-HD/HomeFolders/Homes/
Teachers/SecondGrade/Smith
10 Click OK.
If you do not click Create Home Now before clicking Save, the home folder is created
the next time the user logs in to a client computer.
Note: lome folders are created the 6rst time a user logs in only on share points served
through an AFP or SMB server. You must create NFS home folders manually.
Setting Up a Home Folder for a Windows User
Using Workgroup Manager, you can set up a network home folder that mounts when
a Windows user logs in to a Windows domain. Normally, the same network home
folder is also mounted if the user logs in on a Mac OS X computer. You can also set up
separate home folders if you prefer.
You can create a home folder in any existing share point, or you can create the home
folder in the /Users foldera prede6ned share point.
lo create a home folder in a new share point, create the share point 6rst. lhe share
point for a Windows home folder must be on a Windows domain member server or
the PDC server and use SMB protocol. For instructions, see Setting Up an SMB Share
Point on page 130.
If the share point is used for Mac OS X home folders, it must also use AFP or NFS and
have a network mount record con6gured for home folders.
Set the Windows home folder for a user account in the Mac OS X Server PDC LDAP
directory. If you have a BDC, the PDC server replicates changes to it.
To set up a home folder in an existing share point:
1 In Workgroup Manager, open the user account where you want to set up a home
folder.
To open an account, click Accounts, click the globe icon below the toolbar, and then
open the PDC LDAP directory.
To edit home folder information, click the lock to authenticate as an LDAP directory
administrator and then select the user in the user list.
2 To use the same network home folder for Windows as for Mac OS X, click Home,
specify the share point to use, and then do the following:
In the share points list, select /Users or the share point you want to use and then
click Create Home Now.
If you want to select /Users but it isnt listed, click the Add (+) button and then in
the lull Path 6eld, enter.
/Users/usershortname
Replace usershortname with the 6rst short name of the user account you're
con6guring.
Optionally, enter a disk quota for the users home folder and specify megabytes (MB)
or gigabytes (GB).
Important: lhis quota also applies to the user's roaming pro6le if it's on the same
volume as the home folder. Make sure the quota is adequate for both folders for
an entire work session. A user's pro6le folder includes the Vy 0ocuments folder
and the Internet Explorer cache, which often use considerable disk space. For more
information, see Setting Disk Quotas for Windows Users to Avoid Data Loss on
page 141.
3 Click windows and enter the home folder location in the Path 6eld.
To use the same home folder for Windows login and Mac OS X login, leave Path
blank. You can also specify this home folder by entering a UNC path that doesnt
include a share point:
\\servername\usershortname.
Replace servername with the NetBIOS name of the PDC server or a Windows domain
member server where the share point is located. You can see the servers NetBIOS
name by opening Server Admin and clicking SMB in the Servers list. Then click
Settings, click Ceneral, and look at the Computer lame 6eld.
Replace usershortname with the 6rst short name of the user account you're
con6guring.
lo specify a di1erent SVb share point, enter a UlC path that includes the share
point:
\\servername\sharename\usershortname
Replace sharename with the name of the share point.
4 From the Hard Drive pop-up menu, choose a drive letter.
The default drive letter is H. Windows uses the drive letter to identify the mounted
home directory.
5 Click Save.
6 lf the Path 6eld isn't blank, make sure the speci6ed share point contains a folder for the
users home folder.
lhe folder's name must match the user's 6rst short name and the user must have read
and write permission for the folder.
lf the Path 6eld is blank, the home directory share point doesn't need to contain a
home folder for the user. In this case, Mac OS X Server creates a home folder in the
share point speci6ed in the lome pane.
Setting Disk Quotas
ou can limit the disk space users have available to store 6les in the volume where
their home folders reside.
lhis quota applies to all 6les that the user stores in the volume where his or her home
folder resides, including all 6les stored in the user's drop box. lherefore, when a user
places 6les in another user's drop box, it can a1ect the other user's disk quota or have
other e1ects, such as these.
when you copy a 6le to a user's AlP drop box, the owner of the drop box becomes
the owner of the 6le.
ln llS, when you copy a 6le to another folder, you remain the owner and the copy
operation reduces your disk quota on that partition.
WARNING: If you set a disk quota on a user with a mobile account, the quota only
a1ects the user's network home folder. lhere are no quota restrictions on the user's
local home folder.
Setting the quota too low can cause sync issues and data loss. For example, if you set
a 250 MB quota and the user uses 500 MB on his or her local home folder, the mobile
account doesnt sync entirely.
lhe home folders sync until the 250 Vb quota is met, and unsynced 6les remain
local. When the user logs in to another computer and syncs, only 250 MB of data
syncs from the network home folder.
To set up a home folder share point disk quota using Workgroup Manager:
button, and then select the user account.
administrator.
4 Click lome, specify the disk quota using the 0isk Quota 6eld and the ad|acent pop-up
menu, and then click Save.
5 Make sure disk quotas are enabled for the volume where the share point resides.
6 In Server Admin, select the server hosting home folders and then click File Sharing.
7 Click Volumes and then select the volume that stores home folders.
8 Click Quotas, select Enable quotas on this volume, and then click Save.
Setting Disk Quotas for Windows Users to Avoid Data Loss
A disk quota that applies to a windows user's roaming pro6le folder must be large
enough to cover the users expected data storage needs for a work session.
A Vac OS \ Server P0C enforces quotas on a roaming pro6le folder only at the end
of a work session when the user logs out and the Windows computer copies the local
pro6le to the roaming pro6le on the server.
lf the copied local pro6le exceeds the quota, the roaming pro6le won't be updated
with changes a1ecting the local pro6le since the user logged in.
lf enforcing a user's disk quota prevents an update of the user's roaming pro6le, and
the user later logs in using a di1erent windows computer, windows could load and
apply the outdated roaming user pro6le from the server.
lhe server can't enforce the quota incrementally on the roaming pro6le folder because
the windows computer updates only the local pro6le during a work session. (lhe
server enforces a quota incrementally on changes to the home folder.)
A roaming pro6le folder is sub|ect to the same disk quota as the home directory if
both are on the same volume. A user's pro6le directory is not sub|ect to a disk quota if
it's on a di1erent volume from the user's home directory or the home directory is not
subject to a disk quota.
because a quota that covers the roaming pro6le directory also covers the home
directory, make sure the quota is adequate for an entire work session and the users
home folder. A user's pro6le folder includes the Vy 0ocuments folder and the lnternet
Explorer cache, which often uses a considerable amount of disk space.
The recommended minimum quotas are:
10 MB for a user who logs in only from Windows workstations
20 MB for a user who logs in from Windows and Mac OS X computers
Using Presets to Choose Default Home Folders
ou can de6ne default home folder settings to use for new users by using a preset to
prede6ne them. lor information about de6ning and using presets, see "Using Presets
to Create Accounts on page 64.
Moving Home Folders
To move a home folder, create a new home folder, copy the contents of the old home
folder into the new home folder, and then delete the old home folder.
Deleting Home Folders
When you delete a user account, the associated home folder is not deleted.
The administrator must delete the home folder manually by moving it to Trash.
143
Use this chapter to learn about tools available to manage
portable computers.
Mac OS X Server allows you to create and manage mobile accounts for users of
portable computers.
About Mobile Accounts
If your organization uses portable computers, assign mobile accounts to users. This
allows you to manage their preferences and control their level of access to local and
network resources. These mobile accounts, which are designed for portable computers,
provide many advantages over local or network accounts.
A mobile account includes a network home folder and a local home folder. Having
these two types of home folders allows users to take advantage of features available
for local and network accounts. ou can sync speci6c folders in these two home
folders, creating a portable home directory.
Syncing ensures that users access their most recently updated 6les when they
connect to the network. lf a user modi6es 6les on di1erent computers, when he or she
connects to the network and syncs, his or her computer retrieves the most recently
synced 6le.
Mobile accounts also cache authentication information and managed preferences. A
users authentication information is maintained on the directory server but is cached
on the local computer. With cached authentication information, a user can log in using
the same user name and password, even if he or she is not connected to the network.
For example, if a student has a mobile account, the students login name, password,
and preferences de6ned for the user account, workgroups, and computer are the same
at school and at home. If you change these items, the local versions are updated when
the user logs in at school.
8
Managing Portable Computers
About Portable Home Directories
A portable home directory is a synced subset of a users local and network home
folders. ou can con6gure which folders to sync and how often to sync them. Users
can also initiate syncing. by syncing key folders, a user can work on or o1 the network
and experience the same work environment.
Because the user has a local home folder that only syncs periodically or at login and
logout, the mobile account reduces network tra1c, expediting server connections for
users who need to access the server.
lhe computer locally caches temporary 6les. lhis improves network and individual
computer performance because the user's computer locally caches 6les like webpages.
Because GUIDs for the local user account on the users computer and in the network
user account on an Open 0irectory server are the same, 6le permissions are the same
whether the user logs in using the local user account (while disconnected from the
network) or the network user account.
You can assign mobile accounts to users with accounts stored in an Active Directory
domain. To manage sync settings for these mobile accounts, extend the Active
Directory schema to accept and map Open Directory attributes.
There are two ways to create mobile accounts:
Use Workgroup Manager to enable syncing of user accounts
Allow network users to create mobile accounts themselves
For instructions on using Workgroup Manager to enable syncing, see Creating a
Mobile Account on page 216.
Users with network accounts who have administrative access to their computers can
create mobile accounts, which also creates a portable home directory. You can manage
their sync settings in the Rules panes of Mobility preferences.
To prevent users from creating mobile accounts, you can choose not to show Accounts
in their System Preferences. lor instructions on denying access to speci6c System
Preferences, see Managing Access to System Preferences on page 240.
You can also manage Mobility preferences so users they cant create mobile accounts.
For instructions on managing Mobility preferences, see Preventing the Creation of a
Mobile Account on page 218.
144 Chapter 8 Managing Portable Computers
Chapter 8 Managing Portable Computers 145
Logging In to Mobile Accounts
If a user has created a portable home directory, logging in to a mobile account is
similar to logging in to a local account. The user selects his or her account and then
enters the correct password to complete the login. If the account is not displayed, the
user must enter a login name and password. If you enabled login and logout syncing,
the users folders sync and the users desktop appears.
lf the user does not have a mobile account with a portable home directory, di1erent
steps are required after authentication. One of the following occurs, depending on
mobile account creation settings:
lf you deselected "Require con6rmation before creating mobile account,' the
computer creates the mobile account.
lf you selected "Require con6rmation before creating mobile account,' the user sees
a con6rmation dialog that allows him or her to create a portable home directory,
delay it, or not create a portable home directory and disable the dialog until the
user holds down the Option key during login.
You can allow the user to choose which volume stores the users local home folder in
Mobility options. Before the mobile account is created, the user must choose where to
store the local home folder.
Mobile accounts remain on the computer even when the user logs out or disconnects
from the network. Even when disconnected, the user can still log in to that account.
Note: The mobile accounts local home folder is deleted if you set account expiry
settings and the account goes unused or if a local administrator deletes it. When
the local home folder is deleted, the mobile account user cant log in away from the
network.
The login window lists the mobile account based on the following:
Login window settings
The version of Mac OS X installed on your computers
Whether the mobile account has a local home folder on the computer
For more information, see Changing the Appearance of the Login Window on
page 202.
An external account is a special type of mobile account that is di1erent from typical
mobile accounts in the way users log in. For more information, see the next section.
keso|vng Sync Concts
when a user's 6les and folders sync, a sync conict can occur if a 6le in the user's local
home folder and the network home folder have two versions of a 6le and it is not clear
which one should be saved. Sync conicts usually occur when a mobile account user
changes 6les on one or more computers.
when sync conicts occur, a dialog appears that allows the user to choose which
version of a 6le to sync. lhe user can keep the 6les in the local or network home folder
or keep both 6les.
The user can reset the sync history by pressing and holding the Shift and Option keys
while logging in. when the sync information is reset and a sync conict occurs, the
sync conict dialog reappears, asking which version of a 6le should be synced.
About External Accounts
An external account is a mobile account that has its local home folder stored on a
volume in an external drive. The portable home directory is created from the local
home folder stored on that external drive and the users network home folder.
When the user connects an external drive containing his or her local home folder,
the user can log in and use his or her account in the same way as if he or she had
a mobile account with a local home folder on the computer. If the login window
displays accounts in a list, the user can select his or her account, or if it has a name and
password 6eld, the user can enter his or her name and password.
External accounts require Mac OS X v10.5 or later and an external or ejectable volume
that is formatted as Mac OS X Extended format (HFS Plus) or MS-DOS format (FAT).
If the external account is stored on a portable computer, the user must start target disk
mode on the portable computer before connecting it to the client computer. When
the portable computer is in target disk mode, all mobile accounts stored on it become
external accounts.
After the user logs in, Mac OS X only shows the external account that the user logged
in with. When the user views the account list in Accounts System Preferences, the user
sees his or her external account but doesnt see other external accounts.
Similarly, the fast user switching menu displays all accounts with local home folders
on the client computer. If the user chooses Login Window from the fast user switching
menu, all external accounts are shown in the fast user switching login window.
Because their home folder is stored on an external volume, external account users can
use File Sharing only when the external volume is present.
All mobile accounts on Mac OS X v10.5 or later (including external accounts) can use
FileVault to encrypt the contents of the local home folder. For more information, see
Enabling FileVault for Mobile Accounts on page 219.
For information about creating external accounts, see Creating External Accounts on
page 222.
Logging In to External Accounts
If a user has a local home folder on an external drive and he or she connects it to a
computer that allows the external account, logging in to an external account is like
logging into a mobile account.
If there isnt a local home folder on the external drive, or if the external account isnt
allowed, the user must take a few additional steps before he or she can log in with the
external account. If the user has a local home folder on the computer, the user cant
create a local home folder on an external drive.
If the user doesnt have a local home folder on an external drive, the location setting in
mobile account creation options might give the user the choice of where to store the
local home folder:
If you set the location to user chooses, a window appears allowing the user to
choose where to store the local home folder. You can limit the choices to store on
the computer or on an external drive, or you can choose both. If the user chooses an
external drive, a local home folder is created on the external drive.
If you set the location to at path and enter the path to the external drive, the user
doesnt choose a location.
For more information about setting up mobile account creation options, see Creating
External Accounts on page 222.
After a local home folder is created on the external drive, if the computer is connected
to the directory server that holds the mobile account, the user is allowed to log in.
If its not connected to the directory server, Mac OS X checks to see if the external
account is allowed or denied access to the computer.
If an external account isnt permanently allowed or denied access to a computer,
a dialog appears asking if the external account should be allowed or denied access
to the computer. To allow access, the user must authenticate as the local computer
administrator.
If the external account is allowed access, the user logs in. If the user is denied access,
the user is returned to the login window.
The local administrator can permanently allow or deny access to the computer.
If a user is permanently denied access, he or she can hold down the Option key
while logging in to redisplay the dialog.
Considerations and Strategies for Deploying Mobile Accounts
Before you deploy mobile accounts, carefully weigh the advantages and disadvantages
of using them and strategize how you will con6gure them.
when you properly con6gure mobile accounts, you can create a work environment
where users e1ortlessly access their latest 6les from several locations, keep their
managed preferences while o1ine, and retrieve 6le backups if they lose or damage
their computers, while requiring less network tra1c than network accounts.
lf improperly con6gured, mobile accounts can overload the server, force users to wait
for long periods of time to log in or log out, and potentially cripple client computers
by using all available hard disk space.
Advantages of Using Mobile Accounts
Mobile accounts have several advantages over using local or network accounts.
Applications locally cache temporary 6les.
Vobile accounts create less network tra1c than network accounts.
You can manage individual mobile accounts.
Users can access their accounts and 6les when disconnected from the network.
Users can recover data if their computers or external drives are lost or damaged.
A|catons |oca||y cache temorary h|es: When mobile account users run
applications, those applications cache temporary 6les on the local computer. when
external account users run applications, those applications cache temporary 6les on
the external drive. When network account users run applications, instead of caching,
the applications transfer temporary 6les over the network.
because mobile accounts are not repeatedly transferring temporary 6les, they tend to
be faster than other account types and also o1er improved application stability. Some
applications don't work with network home folders and temporary 6les that are not
cached locally. Using mobile accounts, these applications run as if the user had a local
account.
Mob|e accounts create |ess network tramc than network accounts: When network
account users save 6les, they transfer the 6les over the network. when they open
6les, they also transfer 6les over the network. with a mobile account, 6les are stored
locally (on the client computer or in an external drive) and are only transferred during
syncing.
Syncing only transfers 6les if the modi6cation time of a local or network 6le is di1erent
than the last time the 6les synced.
Vobile accounts cache temporary 6les locally, improving network and individual
computer performance. Caching 6les like webpages locally helps reduce network
tra1c.
ou can also reduce network tra1c by carefully planning user sync settings. lor
information about how to plan sync settings, see Strategies for Syncing Content on
page 151.
You can manage individual mobile accounts: Like network accounts, you can use
Workgroup Manager to manage preferences and set account attributes for individual
mobile accounts.
You can manage users with local accounts only if you add a computer to a computer
group. lhis allows you to set management preferences a1ecting all local accounts for
that computer but it doesnt let you manage individual local accounts. To manage
speci6c local accounts, you must log in to the local computers individually or use
Apple Remote Desktop.
0sers can access ther accounts and h|es when dsconnected from the network:
Mobile accounts have two key features that allow users to access their accounts and
6les when disconnected from the network. cached authentication and portable home
directories.
When mobile account users disconnect from the network using cached authentication,
they can log in to the mobile account using the local home folder stored on the
portable computer or on an external drive using the same login name and password
they used when the computer or external drive was last connected.
By contrast, network account users cant access their accounts when they disconnect
from the network. If you change the password for a user remotely, the next time the
user connects to the network, he or she must use the new password to authenticate.
For information about portable home directories, see About Portable Home
Directories on page 144.
Users can recover data if their computers or external drives are lost or damaged:
If a user with a mobile account loses or damages his or her portable computer or
external drive and logs in using a new computer, the server restores all previously
synced 6les during the next sync.
Considerations for Using Mobile Accounts
Although mobile accounts provide many advantages over local and network accounts,
they also have a few speci6c con6guration needs that, if ignored, can create problems
for network administrators.
Consider the following:
Improperly set sync settings can cause long delays during login and logout and can
create inconsistent home folders.
If multiple users create a mobile account on the same computer, it could cause
excessive proliferation of home folders.
Vobile accounts can't restore deleted 6les through syncing.
You cant create mobile accounts when connected to a network through a virtual
private network (VPN) connection.
Improperly set sync settings can cause long delays during login and logout and can
create inconsistent home folders: lf you only sync large 6les at login and logout, this
could signi6cantly increase the amount of time it takes for users to log in and out. lf
users make changes to large 6les, they must wait for the 6les to sync before they can
6nish logging in or logging out.
lf a number of users are making changes to large 6les and are simultaneously logging
in to a wireless network with limited bandwidth, they can overload the network,
further delaying their login.
If you do not sync key folders, this can create inconsistent home folders and confuse
your users.
For example, as a school administrator, lets say you decide to only sync a students
~/Documents folder. This means that if students dont save their homework in the
~/Documents folder, their homework isnt synced. When the students log in on
another computer, they cant access their homework. Also, if homework saved in
~/Documents references pictures in ~/Pictures, the references might not work because
the ~/Pictures folder is not synced.
If multiple users create a mobile account on the same computer, it could cause
excessive proliferation of home folders: If you have a shared-access computer
like a kiosk or lab computer, every time a user creates his or her mobile account, a
local home folder is created. lf unmanaged, this could completely 6ll the computer's
available hard disk space.
If you set account expiry settings for a mobile account, you can automatically delete
the local home folder after a period of inactivity. If you dont want to automatically
delete the home folder, consider using network or generic local accounts, both of
which prevent the user from creating local home folders.
If you set up a guest account, the contents of its local home folder are deleted when
the user logs out.
Mob|e accounts can't restore de|eted h|es through syncng: Although mobile
accounts keep user 6les stored in two locationsin local and network home folders
they do not eliminate the need for a formal backup system.
when you con6gure the user's portable home directory, you choose a subset of their
folders to sync. lhis syncing a1ects 6les that are new, modi6ed, or deleted since the
last sync.
lf users save 6les in locations that are not synced, the 6les remain local. lf users delete
6les and then sync, those 6les are removed from local and network home folders.
Unlike some formal backup solutions, users can't retrieve older versions of 6les, such as
versions saved prior to the last sync.
You cant create mobile accounts when connected to a network through a virtual
private network (VPN) connection: You must create mobile accounts while being
directly connected to the network. After enabling a mobile account, you can then use
VPN to connect to the network and sync your mobile account.
Strategies for Syncing Content
Administrators can create a mobile account through Workgroup Manager, and
users can create one through Accounts preferences. lach method has di1erent sync
capabilities:
When you create a mobile account through Workgroup Manager, you can sync any
folder in the users home folder.
When users create a mobile account, they can only sync top-level folders like
~/Desktop or ~/Documents.
A background sync occurs at a frequency set by you, or when the user manually syncs.
By default, when you enable background syncing, it occurs every 20 minutes.
lf a 6le in one home folder is modi6ed and the 6le in the other home folder isn't, the
newer 6le overwrites the older 6le. lf both 6les have been modi6ed since the last sync,
the user chooses which 6le to keep.
0o not use background syncing with folders containing 6les accessed by multiple
computers. lhis can cause users to load older, unsynced 6les. lxamples.
lhe user saves a 6le on one computer and loads the 6le on another computer. lf
the 6le was not synced to the server after its last save, the user loads an outdated
version of the 6le from the server.
lhe 6le might not exist on the server because it was not synced. lf not, the user does
not see the 6le or loads an outdated local version.
The user uses the same mobile account to log in to two computers simultaneously.
This can create sync issues with the computers, causing problems.
Carefully manage login and logout syncing because of the delay caused by syncing.
lf a user has a slow network connection or is syncing many 6les or large 6les, the user
must wait for syncing to complete before logging in or out.
lo sync preference 6les such as the user's bookmarks and application preferences, use
login and logout syncing. lf you sync them in the background, newer 6les in the user's
local home folder overwrite older 6les in the user's network home folder, but newer
6les in the user's network home folder aren't synced until the user logs in or out.
Consider syncing smaller 6les (such as preference 6les) at login and logout while
syncing larger 6les (such as movies) in the background. lhis reduces login and logout
times because only preference 6les sync, and movies sync throughout a user's session
(instead of while the user is trying to log out). ou can further reduce network tra1c
by choosing not to sync the movies folder, requiring users to access the movies folder
locally.
By balancing login and logout syncing with background syncing, you can reduce the
time required for logging in and logging out, while retaining consistent, synced home
folders.
Setting Up Mobile Accounts for Use on Portable Computers
When distributing portable computers, you face challenges that dont apply when
deploying stationary computers.
lor example, to ensure your portable computers remain managed while o1 the
network, you must give users mobile accounts and prevent them from creating their
own local accounts, or from changing settings to bypass management.
Conhgurng Portab|e Comuters
when you distribute portable computers to users, you must con6gure those
computers to prevent users from circumventing your management scheme.
To set up portable computers for use on your network:
1 Install the operating system, applications, and utilities.
Most computers come with Mac OS X installed. However, to install a newer version,
make sure the computer meets the minimum requirements for installing the operating
system, applications, and utilities.
2 Create local accounts on Mac OS X computers.
Create at least one local administrator account and create local user accounts as
needed. Make sure the users local account names are not easily confused with the
users network names.
By creating an administrator account, you are preventing the user from having
administrator access unless you specify it for that user. Administrator access allows the
user to override many managed settings.
3 Set up computers and computer groups on your server.
Use Workgroup Manager to create computer accounts for portable computers and
then add them to a computer group and enforce preference management for all users
of those computers.
Computer group management does not always a1ect external accounts because
external accounts can be used on computers that arent connected to the network.
Allow the creation of mobile accounts for speci6c computers or computer groups
rather than for speci6c users or groups. 0oing so limits the creation of portable
home directories only to speci6c computers. lhis way you can ensure that users who
use several computers do not create portable home directories on each of those
computers.
For more information about creating computer groups, see Chapter 6, Setting Up
Computers and Computer Groups. For instructions about creating mobile accounts,
see Creating a Mobile Account on page 216.
Managing Mobile Clients Without Using Mobile Accounts
There are several situations in which you should not use mobile accounts for portable
computer users. This section describes those situations and provides alternatives to
using mobile accounts that allow you to manage portable computers.
Unknown Mac OS X Portable Computers
If a computer is connected to your network but is not in a computer group, it is
considered to be an unknown or guest computer. If you can identify the unknown
computer by its Ethernet ID, you can create a computer account for it so that its no
longer a guest computer.
You can use the guest computer account to manage guest computers on your
network. This allows you to manage Mac OS X portable computers joining your
directory domain. If guest computer users log in using network or mobile accounts,
their user and group managed preferences and account settings apply.
For more information about how managed preferences interact when applied to users,
groups, computers, and computer groups, see Understanding Managed Preference
Interactions on page 168.
For more information about setting up a guest computer account for Mac OS X users,
see Working with Guest Computers on page 117.
Using Mac OS X Portable Computers with One Primary Local User
You can also distribute portable computers with only local accounts and not assign
mobile or network accounts to users. This can reduce or eliminate the burden of
maintaining dedicated directory domain servers and servers that store home folders.
Even with local accounts, you can still manage users computers when they use your
network by adding their computers to a computer group.
When distributing portable computers, you can still retain control over the computer
when the user logs in with a local account while o1 the network. lo restrict a user from
full use of the computer, do not assign him or her local administrator privileges.
ou can also set parental controls to further control the computer while o1 the
network. For more information about how to set parental controls, see Mac Help.
To restrict users from full access to a computer, create a local administrator account
and a local user account on the computer. Give the user the login information for
the local user account but not the local administrator account. Only administrator
accounts allow users to install software and save or delete 6les outside of the home
folder.
If you make a user the local administrator of a computer, you can deny him or her
the ability to turn o1 your computer management. lowever, in many cases, the local
administrator can still override management settings.
lf local users want to share 6les with other users over the network, they can enable lile
Sharing in the Sharing pane of System Preferences and then use their ~/Public folder
to share. Similarly, local users can connect to the computers of other users who have
File Sharing enabled.
If users also have network accounts, you might prefer that they log in through their
local accounts to reduce network tra1c. lhey can connect to their network accounts
through the Connect to Server command in the Finder Go menu.
Using Mac OS X Portable Computers with Multiple Users
Although mobile accounts are best suited for portable computers, there are a few
situations in which using local accounts provides advantages over using mobile
accounts.
For example, a schools wireless mobile lab might consist of 20 to 30 MacBooks, an
instructors computer, an AirPort Extreme Base Station, and a printer, all located on a
mobile cart. Because all of these computers are on a mobile cart, the school could use
this lab for multiple classrooms throughout the campus.
when using a wireless mobile lab, it is very di1cult to control who uses speci6c
computers. Unlike personal portable computers (where you know who uses which
computer), or with stationary computers (where you can assign seating charts), it is
hard to consistently use a distribution scheme for a wireless mobile lab. You could use
stickers to label the computers and control distribution, but teachers would still need
to monitor distribution to ensure students dont take the wrong computer.
When users create a portable home directory, they create a local home folder on the
computer using some of the computers hard disk space. If several dozen users create
local home folders on a computer, you could run out of hard disk space for their 6les.
You might have to set strict account expiry settings, depending on the amount of hard
disk space on the computers and how many users use them.
Another consideration when using a wireless mobile lab is that the total network
throughput is much more limited than a wired lab. If users have network accounts,
when they open or save 6les it requires using the network, possibly slowing the
network connections of other users.
Although mobile accounts help alleviate these issues, frequent syncing can also slow
the network. Creating mobile accounts without synced folders e1ciently utilizes the
network. lowever, users must still copy and store 6les in their network home folders if
they want to access their 6les from other computers.
To manage your carts MacBooks, you might create generic local user accounts on
each computer.
For example, you could create identical generic local user accounts on each computer
(such as all accounts could have Math as the user name and student as the
password), and then create di1erent generic local accounts for each class (such as an
account for a history class, one for a biology class, and so on). Each account has a local
home folder but does not have administrator privileges.
To perform maintenance tasks and upgrades, install software, and administer local user
accounts, you would use a separate local administrator account on each computer to
allow server administrators (or other individuals).
lf a generic con6guration works for all users of a computer, instead of creating several
generic local accounts, enable the guest account. To use the guest account, your
computers must run Mac OS X v10.5 or later. The guest account is a local account that
doesnt require a password and cant be logged into remotely. When a guest user logs
out, all information and 6les in the guest account's home folder are deleted.
After creating local user accounts or enabling the guest account, you could then add
each computer to a computer group and manage preferences for the computer or
computer group.
Because multiple users can store items in the local home folder for a generic account,
you might want to periodically clean out that folder as part of your maintenance
routine.
ou might also recommend that students save 6les to a network drop box to ensure
their 6les are not deleted, and to allow them to access those 6les regardless of who
uses the computer next.
Instead of using local accounts, you could use external accounts, which would give
your users individual accounts (with separate home folders). For external accounts,
each student needs an external drive. This eliminates the need for hard-disk-space
management on the portable computers, and you dont have to set strict account
expiry settings. This also allows you to manage at the level of users, groups, computers,
or computer groups.
The biggest issue with using external accounts for a mobile lab cart scenario is sync-
over-wireless. If you dont carefully set sync settings, the mobile accounts could sync
very large 6les and overload the wireless network.
Securing Mobile Clients
Several security considerations for mobile clients do not exist for stationary clients.
These considerations are relevant because of the mobility of the users computers.
when they are o1 your network, you can no longer monitor the actions of malicious
users, nor can you control the network environment that your users join.
You can use FileVault to secure the local home folder of a mobile account. If an
intruder accesses the computer storing the local home folder while the user isnt
logged in, the intruder cant access the contents of the local home folder. For more
information, see Enabling FileVault for Mobile Accounts on page 219.
Consider taking additional steps to improve your network security and client
computer security. For information, see /oc O5 \ 5ecut|ty coohqutot|oo and Mac OS X
5etvet 5ecut|ty coohqutot|oo.
Optimizing the File Server for Mobile Accounts
In Server Admin, you can enable an option called Server Side File Tracking for Mobile
lome Sync,' which reduces the strain on a 6le server that occurs when mobile
accounts sync.
When mobile accounts sync, the users computer scans every folder in the local home
folder and compares them with all folders in the network home folder. This scanning is
unnecessary when only a few folders change and require syncing.
lf you enable the option, a server daemon updates the database of changed 6les.
The users computer scans only the folders in the local home folder that have been
modi6ed since the last time the database was updated.
lo enable the option, lCP port 2336 must be open on your 6le server's 6rewall.
1o otmze the h|e server for mob|e accounts:
1 In Server Admin, click the disclosure triangle for the server hosting network home
folders for mobile accounts.
2 If Firewall isnt listed, select the server, click Settings, click Services, select Firewall, and
then click Save.
3 Select Firewall, click Settings, and then click Services.
4 Choose the address range for your users computers from the Edit Services for pop-up
menu.
5 Select "Allow only tra1c from 'ipaddress to any of these ports, select the Allow
checkbox for Mobile Account Sync (port 2336), and then click Save.
6 Select the server, click Settings, and then click General.
7 Select Server Side File Tracking for Mobile Home Sync and then click Save.
158
Use this chapter to learn about Mac OS X client management.
Client management is the centralized administration of your users computer
experience, as shown in the following illustration.
Computers
and desktops
Client management
Applications,
folders, and files
Printers and
volumes
Users and
groups
Client management is usually implemented by:
Managing access to network printers and to server-resident home folders, group
folders, and other folders.
Customizing the computer work environment of users, groups, and computers by
de6ning preferences for user accounts, group accounts, computers, and computer
groups.
This chapter introduces each of these client management topics as they apply to users
of Mac OS X computers.
9
Client Management Overview
Chapter 9 Client Management Overview 159
Using Network-Visible Resources
Mac OS X Server lets you make various resources visible throughout your network so
users can access them from di1erent computers and various locations.
There are several key network-visible resources:
Network home folders. A home folder, often referred to as a home directory or simply
home, is a place for each Vac OS \ user to keep personal 6les. A user with a record
in a shared Open Directory domain might have a home folder that resides on the
network, often on the same server where the user account resides.
A home folder contains several folderssuch as Desktop, Documents, and Public
to help organize information. After logging in, users access their network home
folders by clicking the Home icon in the Finder.
Group folders. When you set up a group account for network users, you can
associate a group folder with the group. A group folder is a place for group members
to exchange information electronically. By default, it contains three folders
Documents, Library, and Public. The Public folder contains a Drop Box folder, which
allows users to easily share their 6les.
By residing on the server for easy access throughout the network, a group folder
can be shown in the Dock for access from wherever a user wants to work on group
activities.
Other shared folders. You can set up other folders on the server to provide users
with access to applications, handouts, announcements, schedules, and other 6les.
NetBoot and NetInstall images. You can use NetBoot images and NetInstall images
on the server to simplify the setup of network users computers.
A users computer can start up from a NetBoot image stored on the server. You can
use the same computer for a science lab booting from one image and for a French
lab booting from a di1erent image. lach time a lab computer restarts, the system
reects the original condition of the selected boot image, regardless of what the
previous student did on the computer.
A NetInstall image installs precon6gured software on users' computers, making it
easy to remotely deploy the operating system, additional applications, and even
custom computer settings, without user interaction.
Customizing the User Experience
ou manage a network user's work environment by de6ning preferencessettings
that customize and control the users computer experience.
There are two panes in Workgroup Manager Preferences: Overview and Details.
lo manage prede6ned system preferences, use the Overview pane. lo manage
preferences for an application or utility that has a preference manifest, use the Details
pane.
The Overview pane is identical for users and groups, but additional items (Energy
Saver and Time Machine) appear for computers and computer groups.
Many factors, including user responsibilities and security issues, determine what
computer work environment is most suitable for a user. In some cases, setting up
informal usage guidelines is su1cient. ln other cases, tightly controlling the computer
experience is necessary, with each setting de6ned and each application controlled. lhe
preferences you de6ne should use Vac OS \ capabilities that best support your user
and your business requirements.
The Power of Preferences
Many preferences, such as Dock and Finder preferences, customize the appearance of
the desktop. For example, you can set up Dock and Finder preferences so the users
work environment is simpli6ed by including only essential applications and key folders
in the Dock.
Other preferences manage what users can access and control. For example, you can
set up Media Access preferences to prevent users from burning CDs and DVDs or
making changes to a computers internal disk.
lhe following table summarizes how preferences a1ect the appearance of the desktop,
and the activities a user can perform.
This preference Tailors the work
environment
Limits access and
control
By letting you manage
Applications Applications a user can
open
Classic Classic environment
startup
Dock Appearance and
contents of the Dock
160 Chapter 9 Client Management Overview
This preference Tailors the work
environment
Limits access and
control
By letting you manage
Energy Saver Startup, shutdown,
wake, sleep, and
performance settings
Finder Appearance of desktop
icons and Finder
elements
Login Login experience
Media Access Ability to use
recordable media
Mobility Creation of mobile
accounts
Network Proxy settings for
accessing servers
through a 6rewall
Parental Controls Web access and time
limits on computer use
Printing Printers a user can
use, and page footer
settings
Software Update Server to use for
updates
System Preferences System preferences
that are enabled on the
users computer
Time Machine Which volumes are
backed up and how
long the backup 6les
are retained
Universal Access Hardware settings
for users with special
visual, auditory, or other
needs
Designing the Login Experience
An example of the power of preference management is the ability to shape and
control the users login experience. You can set up Login preferences for computers
and computer groups to control the appearance of the login window.
lhe following table provides example con6gurations of the login window and login
options to suit your environment.
Environment &GUKTGFGGEV Key login settings
Kiosk The computer should always
be logged in as a local or guest
account.
Users can also log in with their
personal accounts (externally or
by using network accounts).
Show Other
Dont show Restart or Shut
Down buttons
Dont show password hint
Enable automatic login
Dont enable >console login
Dont log out inactive users
Enable external accounts
Enable guest account
Educational lab Users should be able to select
their account from a list.
People without accounts
shouldnt be able to shut down
or restart the computer.
Inactive users should be
automatically logged out.
Message: Welcome to the
Math Lab.
Show mobile accounts and
network users
Down buttons
Dont enable automatic login
Log out inactive users
Enable external accounts
Corporate workstation Users must enter their name
and password to log in.
Users should be able to work
without being logged out.
Except for primary users, no one
can log in unless they have a
network or local account.
Message: If you have issues,
contact the IT help desk at ...
Show name and password
text 6elds
Show Restart and Shut Down
buttons
Dont log out inactive users
Dont enable external
accounts
Dont enable guest account
Environment &GUKTGFGGEV Key login settings
High security The computer should be as
secure as possible, restricting
who can use the computer and
how they log in.
Message: Unauthorized use
prohibited
Show name and password
text 6elds
Down buttons
Dont enable >console login
Dont enable fast user
switching
Log out inactive users
Dont enable external
accounts
Dont enable guest account
Choosing a Workgroup
In addition to customizing the login window, you can manage login preferences that
a1ect whether users choose workgroups.
If you dont manage login access preferences, after the user authenticates, a list of
available workgroups appears (depending on computer settings and if the user
belongs to more than one workgroup).
Network account users choose from workgroups in their directory domain but local
users access their workgroups from their local directory domain.
Its possible for a user to belong to a group that doesnt appear in the list. The login
screen lists only workgroups that are allowed access by the computer group.
Local administrators also have the option not to choose a workgroup and disable
preference management.
Users can select Remember my choice, which bypasses the workgroup chooser
in future logins and selects a workgroup for the user. Users can still change their
workgroup by holding down the Option key while their password is validated.
If the computer or the computer group its associated with supports local-only users,
all workgroups that are given access to the computer by the computer group are
listed after a local user logs in. The user can select from any of these.
Preferences associated with the user, the chosen workgroup, parent workgroups, and
the computer being used, take e1ect upon login.
If you manage login access preferences, you can customize the workgroup choosing
process. For example, you could:
Ensure that the workgroup chooser is always shown (by selecting Always
show workgroup dialog during login, and in login options, deselecting Local
administrators may refresh or disable management).
Bypass the workgroup chooser and combine settings from all available workgroups
(by selecting Combine available workgroup settings).
Prevent parent group preferences from taking e1ect (by selecting "lgnore
workgroup nesting).
For more information, see Customizing the Workgroups Displayed at Login on
page 206.
Working with Synced Homes
After choosing a workgroup, users with local or network accounts are logged in. If the
user has a mobile account, he or she might be prompted to create a synced home,
depending on the users mobility settings and whether he or she already has a mobile
account.
After the user creates a synced home, he or she might be prompted to choose where
to store the home. The user can choose a volume on the local computer or on an
external volume, such as an external hard drive. If you choose the location for the user
(by setting it to the startup volume or a speci6c path), the user won't need to choose
where to create the home.
like the login preferences set in workgroup Vanager, mobility preferences also a1ect
how users log in and what dialogs are shown, and they dictate the kinds of decisions
the user must make when they log in. By managing preferences, you choose what
features are available and whether theyre automatically enabled or the user must
enable them.
Login and mobility preference management is an example of how preference
management allows you to precisely sculpt the user experience.
|mrovng Workow
ou can use preference management to improve workow by limiting the number of
applications and folders that appear. You can also make applications and folders more
accessible by putting them in the Dock and creating multiple workgroups (groups
with managed preferences), each of which has a Dock that is customized to show only
the applications used by users in the group.
Applications can be stored locally on a computers hard disk or on a server in a share
point. lf applications are stored locally, users can 6nd them in the Applications folder.
If applications are stored in a share point and you dont add the share point as a login
item, the user must connect to the server by choosing Go > Connect to Server in the
Finder to locate and use applications.
Applications can also be made available through an automounted share point as the
/Network/Applications mount record.
lo make speci6c applications easy to 6nd, you can use 0ock ltems preferences to place
an alias for the My Applications folder in the users Dock. The My Applications folder
contains aliases for applications.
However, adding the My Applications folder might extend the login time for managed
users because Mac OS X must search available disks to build the applications list for
every login.
For instructions on creating aliases to My Applications and other folders in a users
Dock, see Adding Items to a Users Dock on page 188.
You can manage user access to local applications by creating lists of approved
applications in the Applications preferences. (See Allowing Legacy Users to Open
Speci6c Applications and lolders on page 180.) lhis list determines what users 6nd in
the My Applications folder located in the Dock.
To prevent users from opening a Finder window to easily browse to other applications,
use Simple Finder. For more information about using Simple Finder, see Setting Up
Simple Finder on page 194.
If you created a group folder, you can set up quick access to the folder when a user
logs in to the workgroup associated with the folder. Users can use this group folder to
facilitate 6le sharing between group members.
For instructions on creating an alias for the group folder, see Providing Easy Access to
Group Folders on page 187. To provide access to the group volume, which contains the
/Public folder and a drop box for the group, see Providing Easy Access to the Group
Share Point on page 213.
166
Use this chapter to learn how to manage preferences for
users, workgroups, computers, and computer groups.
By managing preferences for users, workgroups, computers, and computer groups, you
can customize the users experience and restrict user access to only the applications
and network resources you choose.
To manage preferences, use the Preferences pane in Workgroup Manager.
For an overview of how to use managed preferences to customize the user experience,
see The Power of Preferences on page 160, and Designing the Login Experience on
page 161.
Using Workgroup Manager to Manage Preferences
workgroup Vanager allows you to set and lock speci6c system settings for users on
the network. You can set initial preferences and allow users to change them later or
you can keep preferences under administrative control at all times. (You can also leave
preference settings unmanaged.)
Workgroup Manager provides control over most major system and application
preferences, as well as settings for users, groups, computers, and computer groups. The
preference editor controls the remainder of the applications that require management.
10
Managing Preferences
Chapter 10 Managing Preferences 167
These preference panes allow you to manage the following settings:
Preference pane What you can manage
Applications Applications and Dashboard widgets available
to users, and if Front Row is enabled. For
more information, see Managing Access to
Applications on page 176.
Classic Classic startup settings, sleep settings, and the
availability of Classic items such as Control Panels.
For more information, see Managing Classic
Preferences on page 181.
Dock Dock location, behavior, and items. For more
information, see Managing Dock Preferences on
page 186.
Energy Saver Performance options for Mac OS X client and
server computers, battery usage for portable
computers, and sleep or wake options. For
more information, see Managing Energy Saver
Finder Finder behavior, desktop appearance and items,
and availability of Finder menu commands.
For more information, see Managing Finder
Login Login window appearance, mounted volumes,
access control, scripts, and items that
automatically open. For more information, see
Managing Login Preferences on page 201.
Media Access Settings for optical discs, internal and external
disks, and disk images. For more information,
see Managing Media Access Preferences on
page 213.
Mobility Creation of mobile accounts at login and mobile
account options. For more information, see
Managing Mobility Preferences on page 215.
Network Con6guration of speci6c proxy servers and
settings for hosts and domains to bypass and
disabling Internet Sharing, AirPort, and Bluetooth.
For more information, see Managing Network
Preference pane What you can manage
Parental Controls Content 6ltering or client computer usage
limiting. For more information, see Managing
Parental Controls Preferences on page 232.
Printing Available printers, printer access, and page
footers. For more information, see Managing
Printing Preferences on page 235.
Software Update Speci6c server to use for software update service.
For more information, see Managing Software
Update Preferences on page 239.
System Preferences System preferences available to users. For more
information, see Managing Access to System
Time Machine Time Machine settings like backup server
location, and coverage. For more information,
see Managing Time Machine Preferences on
page 241.
Universal Access Settings to control mouse and keyboard behavior,
enhance display settings, and adjust sound or
speech for users with special needs. For more
information, see Managing Universal Access
Understanding Managed Preference Interactions
ou can de6ne preferences for user accounts, group accounts, computers, and
computer groups that are set up in a shared directory domain.
A user whose account has de6ned preferences is referred to as a managed user. An
individual computer, or a computer that is a member of a computer group with
de6ned preferences, is called a managed computer. A group with de6ned preferences is
called a workgroup.
ou can de6ne lnergy Saver, lime Vachine, and login preferences only for computers
and computer groups, but you can de6ne other preferences for users, workgroups,
computers, and computer groups.
There are three types of managed-preference interactions:
Printing, Login, Applications, System Preferences, and some Dock preferences
(involving items that appear in the Dock) are considered combined.
lor example, if you de6ne Printing preferences for users and computers, a users
printer list includes printers set up for both the user and the computer used.
Other preferences de6ned at more than one level can be overridden at login.
168 Chapter 10 Managing Preferences
The illustration below shows how managed preferences that override interact when
the same preferences are set at multiple levels:
Group Preferences
Computer Group Preferences
Computer Preferences
User Preferences
when preferences that override conict, user preferences override computer,
computer group, and group preferences. Computer preferences override computer
group and group preferences. Computer group preferences override group
preferences.
lor example, let's say you have di1erent managed 0ock preferences for users,
workgroups, computers, and computer groups. The Dock preferences for the user
take precedence, overriding and nullifying Dock preferences set for computers,
computer groups, or workgroups. If you do not manage Dock preferences for the
user, the computer and computer group Dock preferences override and nullify
group Dock preferences.
An example of when preferences that override might be useful is in a school
environment where you want to prevent students from using recording devices
attached to a school computer, except for students who serve as lab assistants.
You could set up Media Access preferences for workgroups or computer groups
to limit all students access but override these restrictions for lab assistants using
Vedia Access settings at their user account level. ou could also designate a speci6c
computer for media recording by overriding the restrictions at the computer level.
Inherited preferences are preferences set at only one level.
In some cases, it might be easier and more useful to set preferences at only one
level.
For example, you could set printer preferences only for computer groups, set
application preferences only for workgroups, and set Dock preferences only for
users. In this example, no overriding or combining occurs, and the user inherits the
preferences without competition.
The illustration below shows how managed preferences interact when the same
preferences are set at multiple levels.
Resulting
Relationship
Overridden Inherited
Group
Computer
Group
Combined
Computer
User
Most of the time youll use workgroup-level and computer-group-level preferences:
Workgroup preferences are most useful to customize the work environment (such as
application visibility) for speci6c groups or to use group folders.
For example, a student might belong to a group Class of 2011 for administrative
purposes and to a workgroup Students to limit application choices and provide
a group shared folder for turning in homework. Another workgroup might be
Teacher Prep, used to provide faculty members with access to folders and
applications for their use only.
Computer-group-level preferences are useful when you want to manage
preferences for users regardless of group associations. At the computer-group level,
you might want to limit access to System Preferences, manage Energy Saver and
lime Vachine preferences, list speci6c users in the login window, and prevent the
saving of 6les and applications to recordable discs.
Computer group preferences also o1er a way to manage the preferences of users
who dont have a network account but who can log in to a Mac OS X computer
using a local account. (lhe local account, de6ned using the Accounts pane of
System Preferences, resides on the users computer.)
To manage local accounts, set up a computer group that supports local-only
accounts. Preferences associated with the computer group and with any workgroup
a user selects during login take e1ect.
Understanding Hierarchical Preference Management
Mac OS X Server v10.5 or later includes managed hierarchical groupsgroups
composed of nested groups, and computer groups composed of nested computer
groups. By managing preferences for a parent group or computer group, child or
computer groups also receive these managed preferences.
Child preferences take precedence and can override parent preferences. For example,
Dock settings set for a child override Dock settings set for a parent.
Combined preferences come from the child and parent. For example, if you make a
printer available for a parent group and a di1erent printer available to a child group, a
user who belongs to the child group can access both printers.
Be careful when creating situations where a child has several parents. If you dont
manage an overriding preference for a child and you have conicting overriding
preferences for several of the childs parents, it is hard to predict which parents
preference takes precedence.
Combined preferences work even when children have several parents. The preferences
of all parents combine with the childs preferences.
Dont make a child a parent of one of its parents. When you do you create a loop
where a child is its own grandparentwhich introduces unpredictable behavior.
Setting the Permanence of Management
when you de6ne preferences, you can manage them Always or Once. lhey are set to
Never by default:
Always causes the preferences to remain in e1ect until you change them on the
server. When properly designed, a Mac OS X application that conforms to standard
preference conventions does not allow a user to modify preferences set to Always.
You can use Always to ensure users cant add or remove Dock items.
Some applications might allow the user to change the Always managed preference,
but the next time the user logs back in, the preference reverts to the managed
setting.
Once is available for some preferences. You can create default preferences, which
users can then modify and keep the modi6cations. lhese preferences are e1ectively
unmanaged.
lor example, you could set up a group of computers to display the 0ock in a speci6c
way the 6rst time users log in. A user can change these preferences (you've set to
Once) and the selected changes always apply to that user.
In the Overview Preference panes, you can set the following preferences to Once:
Dock, Finder (Preferences and Views), Login (Login Items), Mobility (Login & Logout
Sync and Background Sync panes of Rules), and Universal Access. For all other
preferences, you must choose Always or Never.
Never lets a user control his or her preferences. However, some preference settings,
such as Accounts and Date & Time, require a local administrators name and
password before changes can be made.
Never also means that the preferences are not managed at this account level but
might be managed at a di1erent account level. lor example, even if you set the
Dock preference to Never for a user, the Dock preference could still be managed at
the group or computer level.
Note: When using the preference editor (the Details view in the Preferences pane),
you can set preferences to Often. Often settings are similar to Once settings, but are
reapplied at every login. This management setting is useful for training environments.
Users can customize their preferences to suit their needs during a session without any
risk of a1ecting a future user's work experience. Some applications only respond to
preference management set to Often.
Caching Preferences
Preferences are cached on Vac OS \ computers so they remain in e1ect even when
the computer is o1 the network. with Vac OS \ v10.5 and later, the preferences cache
is automatically managed:
Computer preferences and preferences for workgroups that can use the computer
are cached.
User preferences are always cached for users who have mobile accounts.
when a computer is o1 the network, only users with local accounts or network users
with mobile accounts on that computer can log in.
Preference Management Basics
In Workgroup Manager, information about users, groups, computers, and computer
groups is integrated with directory services. After you set up the accounts, you can
manage preferences for them.
Vanaging preferences means you can control settings for speci6c system preferences
in addition to controlling user access to system preferences, applications, printers, and
removable media.
Information about settings and preferences in user, group, or computer records is
stored in a directory domain accessible to Workgroup Manager, such as an Open
Directory domain.
Preferences are stored in a user, group, or computer record. During login, the managed
client combines them into a management list that is applied to the user experience.
After user accounts, group accounts, computer accounts, and computer groups
are created, you can manage preferences for them using the Preferences pane in
Workgroup Manager.
To manage preferences for Mac OS X clients, make sure that each user you want to
manage has a network home folder or a local home folder on the server.
For information about how to set up home folders for users, see Chapter 7, Setting Up
Home Folders
Note: When you manage preferences for a user, group, or computer, an arrow icon
appears next to the managed preference in the Preferences pane to indicate that
youre managing that preference. You can select multiple users, groups, or computers
to review managed preferences. If the arrow icon is dimmed, it means managed
preference settings are mixed for the selected items.
Managing User Preferences
You can manage preferences for users as needed. However, if you have large numbers
of users, it can be more e1cient to manage most preferences by group and computer.
ou might want to manage preferences at the user level only for speci6c individuals,
such as directory administrators, teachers, or technical sta1.
Consider which preferences you want to leave under user control. For example, if you
arent concerned about where a user places the Dock, you might want to set Dock
Display management to Never or Once.
To manage user preferences:
1 In Workgroup Manager, click Preferences.
2 Make sure the correct directory is selected and you are authenticated.
To switch directories, click the globe icon. If you are not authenticated, click the lock
and enter the name and password of a directory administrator.
3 Click the Users button and select one or more user accounts from the list.
4 Click the icon for the preference you want to manage.
5 In each Preference pane, select a Manage option.
In Media Access, the management setting applies to all preferences rather than to
individual panes.
6 Select preference settings or 6ll in information you want to use.
Some management settings are not available for some preferences, and some
preferences are not available for some types of accounts.
7 when you 6nish, click Apply low.
Managing Group Preferences
Group preferences are shared among all users in the group. Setting some preferences
only for groups instead of for each user can save time, especially when you have large
numbers of managed users.
Because users can select a workgroup at login, they can choose a group with managed
settings related to the current task, location, or environment. lt can be more e1cient
to set preferences once for a single group instead of setting preferences for each
member of the group.
To manage group preferences:
3 Click the Groups button and select one or more group accounts from the list.
5 In each preference pane, select a Manage option.
individual panes.
7 Click Apply Now.
Managing Computer Preferences
Computer preferences are preferences set for individual computers.
Energy Saver and Time Machine preferences can be managed for computers and
computer groups, but not for users or groups.
To manage computer preferences:
3 Click the Computers button and select one or more computers.
individual panes.
7 Click Apply Now.
Managing Computer Group Preferences
Computer preferences are shared among all computers in a computer group. In some
cases, it is more useful to manage preferences for computers rather than users or
groups.
Energy Saver and Time Machine preferences can be managed for computers and
computer groups, but not for users or groups.
To manage computer group preferences:
3 Click the Computer Groups button and select one or more computer groups.
individual panes.
7 Click Apply Now.
Dsab|ng Management for Sechc Preferences
After you set managed preferences for an account, you can turn o1 management for
speci6c preference panes by changing the management setting to lever.
You can use the Once setting to create default settings. These are settings that, when
saved, take e1ect the next time users log in. Users can then modify their settings and
save their modi6ed settings for future use.
To selectively disable preference management:
3 Select one or more users, groups, computers, or computer groups.
4 Click the icon for a preference that is being managed.
5 In the pane with the preferences you no longer want to manage, select Never.
individual panes.
6 Click Apply Now.
Setting the management setting to Never disables management for the current level
in the users, computers, or groups hierarchy. Preferences can still be managed at a
di1erent level.
When you change the preference management settings, the new settings apply to
all items in the active preference pane. To disable all management for an individual
preference (for example, Dock), make sure the management setting is set to Never in
each pane of that preference.
Managing Access to Applications
Use Applications preferences to allow or restrict user access to applications.
Computers identify applications using digital signatures (used in Mac OS X v10.5 or
later) and bundle IDs (used in Mac OS X v10.4 or earlier, but can be used in Mac OS X
v10.5 or later).
Digital signatures are more secure because clever users can manipulate bundle IDs.
Workgroup Manager supports the use of both methods.
Use the Applications pane to work with digital signatures. Use the Legacy pane to
work with bundle IDs.
Application restrictions depend on which pane youre managing and the version of
Mac OS X run by client computers:
If you manage the Applications pane and your users run Mac OS X v10.5 or later,
Applications settings take e1ect and legacy settings are ignored.
lf you don't manage the Applications pane, legacy settings take e1ect for any
version of Mac OS X.
lf your users run Vac OS \ v10.4 or earlier, only legacy settings take e1ect.
ou can also use settings in Applications preferences to allow only speci6c widgets in
Dashboard or to disable Front Row.
The table below describes what the settings in each Applications pane can do.
Applications preference pane What you can control
Applications Access to speci6c applications and paths to
applications using digital signatures (for users of
Mac OS X v10.5 or later)
Widgets List of allowed Dashboard widgets (for users of
Mac OS X v10.5 or later)
Front Row Whether Front Row is allowed
Legacy Access to speci6c applications and paths to
applications using bundle IDs (primarily for users
of Mac OS X v10.4 or earlier)
Contro||ng 0ser Access to Sechc A|catons and Po|ders
You can use Workgroup Manager to prevent users from launching unapproved
applications or applications located in unapproved folders.
ln Vac OS \ v10.4 or earlier, applications were identi6ed by their bundle l0s. lf your
users have Mac OS X v10.5 or later installed, you can use digital signatures to identify
applications. 0igital signatures are much more di1cult to circumvent than a bundle l0.
Workgroup Manager can sign applications that arent already signed. When signing
an application, you can embed a signature or you can store a detached signature
separate from the application.
lmbedding a signature has several performance bene6ts over a detached signature,
but with signature embedding you must make sure every computer has the same
signed application. For applications that are run from a CD, DVD, or other read-only
media, you must use detached signatures.
Workgroup Manager uses the following icons to identify the kind of signature
associated with an application.
Icon Indicates the application has this type of
signature
(no icon) Embedded signature
Detached signature
No signature
Applications that include helper applications are identi6ed by a disclosure triangle.
When you click the disclosure triangle, you see a list of helper applications. By default,
these helper applications are allowed to open.
You can disable individual helper applications, but the application might behave
erratically if it requires the helper applications.
To allow or prevent users from launching an application, add the application or
application path to one of three lists:
Always allow these applications. Add applications that should always be allowed,
regardless of their inclusion in other lists. You can sign applications added to this
list. Dont add unsigned applications to this list because they allow users to disguise
unapproved applications as approved applications.
Disallow applications within these folders. Add applications and folders containing
applications you want to prevent users from opening. All applications in the
subfolders of a disallowed folder are also disallowed. Disallowing a folder within an
application package can cause the application to behave erratically or fail to load.
Allow applications within these folders. Add applications and folders containing
applications you want to allow. All applications in the subfolders of an allowed
folder are also allowed. Unlike applications in the Always allow these applications
list, applications listed here are not allowed if they or their paths are listed in the
Disallow applications within these folders list.
If an application or its folder doesnt appear in these lists, the user cant open the
application.
1o a||ow users to oen sechc a|catons and fo|ders:
4 Click Applications and then click the Applications tab.
5 Set the management setting to Always.
6 Select Restrict which applications are allowed to launch.
7 Click the Applications tab (within the Applications pane), click the Add (+) button,
choose an application you want to always allow, and then click Add.
When you allow an application, you also allow all helper applications included with
that application. You can deselect helper applications to disallow them.
8 If youre asked to sign the application, click Sign; if youre asked to authenticate,
authenticate as a local administrator.
To add the application to the list as an unsigned application, click Dont Sign.
When you sign the application, Workgroup Manager tries to embed the signature. If
you dont have write access to the application, Workgroup Manager creates a detached
signature.
While signing an application, you might be asked to authenticate as an administrator
of the computer running Workgroup Manager.
9 Click the Folders tab, click the Add (+) button next to Disallow applications within
these folders, and then choose folders containing applications you want to prevent
users from launching.
10 Click the Add (+) button next to the "Allow applications within these folders' 6eld and
choose folders containing applications you want to allow.
Disallowing folders takes precedence over allowing them. If you allow a folder that is a
subfolder of a disallowed folder, the subfolder is still disallowed.
11 Click Apply Now.
A||owng Sechc Dashboard Wdgets
If your users have Mac OS X v10.5 or later installed, you can prevent them from
opening unapproved Dashboard widgets by creating a list of approved widgets (which
can include widgets included with Mac OS X and third-party widgets). To approve
third-party widgets, you must be able to access them from your server.
1o a||ow sechc Dashboard wdgets:
4 Click Applications and then click Widgets.
6 Select Allow only the following Dashboard widgets to run.
7 lo allow speci6c widgets, click the Add (+) button, select the widget's .wdgt 6le, and
then click Add.
The widgets included with Mac OS X are in /Library/Widgets.
8 lo prevent users from opening speci6c widgets, select the widget and click the
Remove () button.
9 Click Apply Now.
Disabling Front Row
With Workgroup Manager, you can disable Front Row.
To disable Front Row:
4 Click Applications and then click Front Row.
6 Deselect Allow Front Row.
7 Click Apply Now.
A||owng Legacy 0sers to Oen Sechc A|catons and Po|ders
To control user access to applications in Mac OS X v10.4 or earlier, you either:
Provide access to a set of approved applications that users can open
Prevent users from opening a set of unapproved applications
You can also set additional options to further control user access to applications.
When users have access to local volumes, they can access applications on the
computers local hard disk. If you dont want to allow this, you can disable local volume
access.
Applications use helper applications for tasks they cant complete independently.
For example, if a user tries to open a web link in a mail message, the mail application
might need to open a web browser to display the webpage.
Disallowing helper applications improves security because an application can
designate any other application as a helper application. However, you might want
to include common helper applications in the approved applications list. This avoids
problems such as users being unable to open and view mail content or attached 6les.
Occasionally, applications or the operating system might require the use of UNIX
tools, such as QuickTime Image Converter. These tools cant be accessed directly and
generally operate in the background without the users knowledge. If you disallow
access to UNIX tools, some applications might not work.
Allowing Ull\ tools enhances application compatibility and e1cient operation, but
might decrease security.
If you dont manage Applications settings for computers running Mac OS X v10.5 or
later, Legacy settings are used.
To set up a list of accessible applications:
4 Click Applications and then click Legacy.
6 Select User can only open these applications or User can open all applications except
these.
7 Add items to or remove items from the list.
To select multiple items, hold down the Command key.
8 To allow access to applications stored on the users local hard disk, select User can also
open all applications on local volumes.
9 To allow helper applications, select Allow approved applications to launch non-
approved applications.
10 To allow use of UNIX tools, select Allow UNIX tools to run.
11 Click Apply Now.
Managing Classic Preferences
You use Classic Preferences to set Classic startup options, assign a Classic System
lolder, set sleep options for the Classic environment, and make speci6c Apple menu
items available to users.
The Classic System Folder is a Mac OS 9 System Folder that contains the Mac OS 9
operating system. When users run Classic applications, they are running Mac OS 9 from
the Classic System Folder.
Classic can be run on Mac OS X v10.4 or earlier.
The table below describes what the settings in each Classic pane can do.
Classic preference pane What you can control
Startup Which folder is the Classic System Folder and
what occurs when Classic starts
Advanced Items in the Apple menu, Classic sleep settings,
and the user's ability to turn o1 extensions or
rebuild the Classic desktop 6le during startup
Selecting Classic Startup Options
Workgroup Manager provides a number of ways to control how and when the Classic
environment starts.
If users often work with applications that run in Classic, it is convenient to have
Classic start up immediately when a user logs in. If users rarely need Classic, you can
have Classic start only when a user opens a Classic application or when a document
requires such an application.
You can also choose to display an alert when Classic starts, giving users the option to
cancel Classic startup.
To work with startup options for Classic:
4 Click Classic and then click Startup.
6 To start Classic immediately when a user logs in, select Start up Classic at login.
When Classic starts up at login, the startup window is hidden and the user cant cancel
Classic startup.
If users rarely use Classic, you can deselect this option and Classic starts up when a
user opens a document or an application requires it. In this case, the Classic startup
window is visible to users and they can cancel Classic startup.
7 To show an alert dialog only when Classic starts up after a user attempts to open a
Classic application or document, select Warn at Classic startup.
If users manually start Classic or if Classic starts up at login, the warning is not shown.
Users can allow Classic startup to continue or they can cancel the process. If you dont
want to allow users to interrupt Classic startup, deselect this option.
8 Click Apply Now.
Choosing a Classic System Folder
In most cases, there is only one Mac OS 9 System Folder on a computer, and it is on the
Mac OS X startup disk. In this case, you dont need to specify a Classic System Folder.
If a computer has multiple Mac OS 9 System Folders on the startup disk and you
haven't set a speci6c path to one folder, users receive an error message and can't use
Classic.
If there is more than one Mac OS 9 System Folder on a computers startup disk, or if
you want to use a Vac OS 9 System lolder on a di1erent disk, enforce the use of a
speci6c folder when Classic is in use. lt is important if you specify a path to the folder's
location that all clients have the Mac OS 9 System Folder in the same relative location
on their hard disks.
If multiple Mac OS 9 System Folders are available and you dont enforce settings in the
Startup pane of the Classic preference, users can choose from among available Mac OS
9 System Folders (if they have access to the Classic pane of System Preferences).
1o choose a sechc C|assc System Po|der:
4 Click Classic and then click Startup.
6 ln the "Use this System lolder when Classic starts' 6eld, enter the path to the Classic
System Folder (for example, /Volumes/VolumeName/System Folder/), or click Choose
and then browse to the folder you want.
Make sure the path to the Classic System Folder on the client computer is the same as
the path to the Classic System Folder on the administrator computer.
7 Click Apply Now.
Allowing Special Actions During Restart
If managed users have access to the Classic pane of System Preferences, they can click
the Start/Restart button in the Classic pane to start or restart Classic.
ou can allow users to perform special actions, such as turning o1 extensions, starting
or restarting Classic, or rebuilding the Classic desktop 6le, from the Advanced pane
of Classic system preferences. ou might want to allow this for speci6c users, such as
members of your technical sta1.
To allow special actions during restart:
4 Click Classic and then click Advanced.
6 Select Allow special startup modes.
7 lo allow users to rebuild the Classic desktop 6le, select "Allow user to rebuild 0esktop.'
Deselecting this option disables the Rebuild Desktop button in the Advanced pane of
Classic system preferences.
8 Click Apply Now.
Controlling Access to Classic Apple Menu Items
Classic managed preference options allow you to control access to speci6c items in
the Classic Apple menu, including Mac OS 9 control panels, the Chooser and Network
Browser, and other Apple menu items. You can show or hide all, some, or none of these
items in the Apple menu.
If an item is hidden, users cant access that item from the Apple menu. However, there
might be alternative methods of access, such as starting the Chooser by navigating to
it in the Mac OS 9 System Folder.
If you want to further limit user access to these items, you can use the Applications
preferences in Workgroup Manager to specify the applications a user can open. For
more information, see Managing Access to Applications on page 176.
Note: 0isallowing access to the Chooser can a1ect what happens when a user
attempts to print from Classic (if printer management is also enforced). If users cant
access the Chooser, they cant set up new printers or switch between types of printers
(such as PostScript and non-PostScript printers).
To hide or show items in the Apple menu:
4 Click Classic.
5 Click Advanced and then set the management setting to Always.
6 To remove the Chooser and Network Browser from the Apple menu, select Hide
Chooser and Network Browser.
Deselect this option to show Chooser and Network Browser.
7 To remove Control Panels from the Apple menu, select Hide Control Panels.
Deselect this option to show Control Panels.
8 To hide remaining Apple menu items, select Hide other Apple Menu Items.
This group includes items such as Calculator, Key Caps, and Recent Applications.
Deselect this option to show these Apple menu items.
9 Click Apply Now.
Adjusting Classic Sleep Settings
When no Classic applications are open, Classic enters sleep mode to reduce the use
of system resources. You can adjust the amount of time Classic waits before going to
sleep after a user quits the last Classic application. If Classic is in sleep mode, opening a
Classic application might take a little longer.
In some circumstances, you might need to use applications that operate in the
background without the users interaction or knowledge. If a background application
is in use when Classic enters sleep mode, that application suspends its activity. To keep
the application running, set the Classic sleep setting to Never.
To adjust Classic sleep settings:
4 Click Classic.
6 Drag the slider to set the length of time Classic waits before going to sleep.
If you dont want Classic to go to sleep at all, drag the slider to Never.
7 Click Apply Now.
Maintaining Consistent User Preferences for Classic
Ordinarily, Classic looks for a users Mac OS 9 preferences data in the Mac OS 9
System Folder. If a user has more than one computer, or if multiple users work on
the same computer, make sure Classic uses preferences from the home folder in
~/Library/Classic/ so that preferences remain consistent for each user.
If you choose not to use preferences in the users Home folder, a users Mac OS 9 data
is stored in the Mac OS 9 System Folder and is not kept separate from other user data.
ln this case, users share preferences. Changes made by the last user are in e1ect when
the next user logs in.
To choose where Classic user preferences are stored:
4 Click Classic.
6 To maintain consistent Classic preferences, select Use preferences from home folder.
Deselect this option to use the local Mac OS 9 System Folder for all Classic user
preferences.
7 Click Apply Now.
Managing Dock Preferences
Dock settings allow you to adjust the behavior of the users Dock and specify what
items appear in it.
The table below describes what settings in each Dock pane can do.
Dock preference pane What you can control
Dock Items Items and their position in a users Dock
Dock Display The Docks position and behavior
Controlling the Users Dock
Dock settings allow you to adjust the position of the Dock on the desktop and change
the Docks size. You can also control animated Dock behaviors.
To set how the Dock looks and behaves:
4 Click Dock and then click Dock Display.
5 Set the management setting to Once or Always.
6 Drag the Dock Size slider to make the Dock smaller or larger.
7 lf you want items in the 0ock to be magni6ed when a user moves the pointer over
them, select Vagni6cation and then ad|ust the slider.
Vagni6cation is useful if you have many items in the 0ock.
8 From the Position on screen radio buttons, select whether to place the Dock on the
left, right, or bottom of the desktop.
9 lrom the "Vinimize using' pop-up menu, choose a minimizing e1ect.
10 If you dont want to use animated icons in the Dock when an application opens,
deselect Animate opening applications.
11 If you dont want the Dock to be visible all the time, select Automatically hide and
show the Dock.
When the user moves the pointer to the edge of the screen where the Dock is located,
the Dock appears.
12 Click Apply Now.
Providing Easy Access to Group Folders
After you set up a group folder, you can make it easy for users to locate the group
folder by placing an alias in the users Dock. The group folder contains the groups
Library folder, Documents folder, and Public folder (including a drop box). If you need
help setting up a group share point, see Creating a Group Folder on page 112.
If the group folder is not available when the user clicks the group folder icon, the user
must enter a user name and password to connect to the server and open the directory.
Note: This preference setting applies only to groups. You cant manage this setting for
users or computers.
To add a Dock item for a group folder:
1 If you havent set up a group share point, do so before proceeding.
5 Click Dock and then click Dock Items.
If you select Once, the group folder icon appears in the users Dock initially, but the
user can remove it.
7 Select Add group folder.
8 Click Apply Now.
If you change the location of the group share point, update the Dock item for the
group in Workgroup Manager.
Adding Items to a Users Dock
You can add applications, folders, or documents to a users Dock for easy access.
Make sure you use consistent paths for items you add in the Dock. This is especially
important if you add items in nonstandard locations (for example, putting an
application in another folder besides /Applications). If the Dock item cant be found, a
question mark replaces the item in the users Dock.
To add items to a users Dock:
If you select Once, the user can add and remove Dock items. If you select Always, the
user cant remove items from the Dock.
6 To add applications, folders, and documents to the Dock, click the Add (+) button to
browse and select the item you want.
To remove a Dock item, select it and then click the Remove () button.
You can rearrange Dock items in the list by dragging them into the order you want
them to appear. Applications are always grouped at one end, while folders and 6les are
grouped at the other. User-added items are located after your listed applications.
7 To add the My Applications folder, select My Applications.
The My Applications folder contains aliases for approved applications listed in the
Applications preference pane. If you do not manage the Applications preference,
available applications are shown. If you enable Simple Finder, you should display the
My Applications folder.
8 To add the Documents folder, select Documents.
The Documents folder is located in the users home folder.
9 To add the Network Home folder, select Network Home.
The Network Home folder is the network home folder for users with network accounts.
For users of mobile accounts, selecting Network Home adds the users network home
folder (not the users local home folder) to the Dock.
10 To replace the users current Dock with your selected items, deselect Merge with
users Dock.
11 After you 6nish adding 0ock items, click Apply low.
Preventing Users from Adding or Deleting Dock Items
Ordinarily, users can add items to their own Docks, but you can prevent this. Users
cant remove items you add to the Dock if you set the management setting to Always.
To prevent users from adding items to their Docks:
6 Deselect Merge with users Dock.
7 Click Apply Now.
Managing Energy Saver Preferences
Energy Saver preference settings help you save energy and battery power by
managing wake, sleep, and restart timing for servers and client computers.
ou can con6gure lnergy Saver preferences for desktop and portable computers.
0esktop and portable computers di1er in that portable computers can run on battery
power.
The table below summarizes what you can control with settings in each Energy Saver
pane.
Energy Saver preference pane What you can control
Desktop Sleep timing for the computer, display, hard disks,
and wake and restart options for Mac OS X and
Mac OS X Server
Portable Processor performance setting, sleep timing
similar to Desktop, and wake and restart options
for adapter and battery power sources
Battery Menu Display of the battery status indicator
Schedule Regular schedules for startup or shutdown
Using Sleep and Wake Settings for Desktop Computers
Putting a computer to sleep saves energy because it turns o1 the display and stops the
hard disk from running. Waking up from sleep is faster than starting up your computer.
You can use the Energy Saver preference settings to put computers to sleep after
a speci6ed period of inactivity. Other settings enable you to wake or restart the
computer when speci6c events happen.
To set sleep and wake settings:
3 Select one or more computers or computer groups.
4 Click Energy Saver and then click Desktop.
5 From the OS pop-up menu, choose Mac OS X or Mac OS X Server and set the
management setting to Always.
6 To adjust sleep settings, choose Sleep from the Settings pop-up menu and choose
from the following:
To do this Do this
Set the length of time the desktop computer
waits to enter sleep mode
Move the Put the computer to sleep when it is
inactive for slider. The computer does not enter
sleep mode if the slider is set to Never.
The default setting for Mac OS X is 10 minutes.
The default setting for Mac OS X Server is Never.
Use a di1erent time interval for the computer's
display
Select Put the display to sleep when the
computer is inactive for and move the slider. The
interval cant be longer than the computers sleep
setting.
lhe default setting for Vac OS \ is 6ve minutes.
The default setting for Mac OS X Server is 30
minutes.
Put the hard disks to sleep during periods of
inactivity
Select Put the hard disk(s) to sleep when
possible.
7 To set wake and restart settings, choose Options from the Settings pop-up menu and
choose from the following:
To do this Do this
Wake the computer when the modem is
activated
Select Wake when the modem detects a ring.
Wake the computer when an administrator
attempts remote access
Select Wake for Ethernet network administrator
access.
Alllow users to press the power button (without
holding it down for a prolonged period) to put
the computer in sleep mode
(For client computers with Mac OS X v10.3 or
later) Select Allow power button to sleep the
computer.
Make sure the computer restarts if the power fails Select Restart automatically after a power
failure. Deselect this option to disable automatic
restart.
8 Click Apply Now.
To manually wake up a sleeping computer or display, the user can click the mouse or
press a key on the keyboard.
Setting Energy Saver Settings for Portable Computers
You can use Energy Saver Portable settings to vary sleep and wake responses, in
addition to processor performance settings, depending upon what power source a
portable computer is using (an adapter or a battery). You can also set the computer to
restart if power suddenly fails.
To manage portable computer settings:
4 Click Energy Saver and then click Portable.
5 From the Power Source pop-up menu, choose Adapter or Battery and set the
6 To adjust sleep settings, choose Sleep from the Settings pop-up menu and choose
from the following:
To do this Do this
Set the length of time the desktop computer
waits to enter sleep mode
Move the Put the computer to sleep when it is
inactive for slider. The computer does not enter
sleep mode if the slider is set to Never.
The default setting for adapter power supplies is
10 minutes. The default setting for battery power
supplies is 6ve minutes.
Use a di1erent time interval for the computer's
display
Select Put the display to sleep when the
computer is inactive for and move the slider. The
interval cant be longer than the computers sleep
setting.
The default setting for battery and adapter power
supplies is 6ve minutes.
Put the hard disks to sleep during periods of
inactivity
Select Put the hard disk(s) to sleep when
possible.
7 To set wake and restart settings, choose Options from the Settings pop-up menu and
choose from the following:
To do this Do this
Wake the computer when the modem is
activated
Select Wake when the modem detects a ring.
Wake the computer when an administrator
attempts remote access
Select Wake for Ethernet network administrator
access.
Make sure the computer restarts if the power fails Select Restart automatically after a power
failure. Deselect this option to disable automatic
restart.
Choose the level of processor performance In the Processor Performance pop-up menu,
select Highest, Automatic, or Reduced. For
computers using an adapter, the recommended
setting is Highest. For computers using a battery,
the recommended setting is Automatic.
8 Click Apply Now.
To manually wake up a sleeping computer or display, users can click the mouse or
press a key on the keyboard.
Displaying Battery Status to Users
Portable computers use a battery as a direct power source while disconnected from
external power or as a backup power source while connected to external power.
When battery power is too low for the computer to function, the computer puts itself
to sleep to conserve energy. When a user reconnects the computer to a functional
power source (for example, by inserting a fresh battery or connecting a power
adapter), the user can wake the computer and begin working again.
Users should be encouraged to monitor battery status when not connected to
external power and use a power adapter when possible to maintain a fully charged
battery.
To show battery status in the menu bar:
4 Click Energy Saver and then click Battery Menu.
6 To display the battery status, select Show battery status in the menu bar; to disable
the battery status, deselect this option.
7 Click Apply Now.
Scheduling Automatic Startup, Shutdown, or Sleep
ou can schedule when computers start up, shut down, or sleep at speci6c times on
speci6c days of the week.
Scheduling shutdown or sleep can help you conserve energy during predictable times
of user inactivity, such as after business hours, on weekends, or after a class is 6nished.
Scheduling automatic startup allows you to conveniently prepare a lab or classroom
for immediate use.
To schedule automatic actions:
4 Click Energy Saver and then click Schedule.
5 From the OS pop-up menu, choose Mac OS X or Mac OS X Server and set the
6 To schedule automatic startup, select Start up the computer, choose a day or range
of days (Weekdays, Weekends, or Every Day) from the pop-up menu, and then enter a
time in the time 6eld.
To disable scheduled startup, deselect this option.
7 To schedule automatic sleep or shutdown, select the checkbox, choose Sleep or Shut
Down from the pop-up menu, choose a day or range of days (Weekdays, Weekends, or
lvery 0ay) from the pop-up menu, and then enter a time in the time 6eld.
To disable scheduled sleep or shutdown, deselect this option.
8 Click Apply Now.
Managing Finder Preferences
You can control various aspects of Finder menus and windows, which can help
improve or control workow.
For example, you can simplify the user experience by enabling Simple Finder. You can
also prevent users from writing to or ejecting disks.
The table below summarizes what you can do with each Finder preference pane.
Finder preference pane What you can control
Preferences Finder window behavior, Simple Finder, whether
open items appear on the desktop, 6lename
extension visibility, and the Empty Trash warning.
Commands Whether commands in Finder menus and the
Apple menu are available to users. These allow
users to perform tasks such as connecting to
servers or restarting the computer.
Views The arrangement and appearance of items on a
users desktop, in Finder windows, and in the top-
level folder of the computer.
Setting Up Simple Finder
You can select the normal Finder or Simple Finder as the user environment:
The normal Finder looks and acts like the standard Mac OS X desktop.
Simple Finder removes the ability to use a Finder window to access applications or
modify 6les. lhis limits users' access to only what is in the 0ock.
If you enable Simple Finder, users cant mount network volumes, create folders, or
delete 6les.
In addition to using Workgroup Manager, you can use System Preferences to set up
Simple Finder on a local computer. When you use Workgroup Manager to apply the
Simple Finder environment and the feature is not in use on the local computer, only
the client's linder is a1ected. 0ock and Application access settings must be managed
separately.
You can set up Simple Finder on the local computer and use the application and Dock
management features in Workgroup Manager to add Dock items and application
access.
Important: Dont turn on Simple Finder for users who run Mac OS X v10.2 through
v10.2.8 and log in to a workgroup with its own group folder. These users cant use
applications because Simple Finder prevents access to the group folder.
To turn on Simple Finder:
4 Click Finder, click the Preferences tab, and then select a management setting.
If you select Always, choose Use normal Finder or Use Simple Finder.
If you select Once, the account uses only the normal Finder.
5 Click Apply Now.
Keeping Disks and Servers from Appearing on the Users Desktop
Normally when a user inserts an external disk, that disks icon appears on the desktop.
Icons for local hard disks or disk partitions and mounted server volumes are also
visible. If you dont want users to see these items on the desktop, you can hide them.
Disks and servers still appear in the top-level folder when a user clicks the Computer
icon in a Finder windows toolbar.
To hide disk and server icons on the desktop:
5 Under Show these items on the Desktop, deselect the items you want to hide.
6 Click Apply Now.
Controlling the Behavior of Finder Windows
You can select which folder appears when a user opens a new Finder window. You can
also de6ne how contents are displayed when a user opens folders.
To set Finder window preferences:
5 Under New Finder window shows, choose the default folder for the Finder window.
Select Home to show items in the users home folder.
Select Computer to show the top-level folder, which includes local disks and mounted
volumes.
6 To display folder contents in a separate window when a user opens a folder, select
Always open folders in a new window.
Normally, Mac OS X users can browse through a series of folders using a single Finder
window.
7 To maintain a consistent view across windows, select Always open windows in column
view.
8 Click Apply Now.
Hiding the Alert Message When a User Empties the Trash
Normally, a warning appears when a user empties the Trash. If you dont want users to
see this message, you can turn it o1.
To hide the Trash warning message:
5 Deselect Show warning before emptying the Trash.
6 Click Apply Now.
Making Filename Extensions Visible
A 6lename extension usually appears at the end of a 6lename (for example, .txt or
.|pg). Applications use the 6lename extension to identify the 6le type.
1o make h|ename extensons vsb|e:
5 Select "Always show 6le extensions.'
6 Click Apply Now.
Controlling User Access to Remote Servers
Users can connect to a remote server by choosing the Connect to Server command
in the Finder Go menu and providing the servers name or IP address. If you dont want
users to access this menu item, you can hide the command.
To hide the Connect to Server command:
4 Click Finder, click Commands, and then set the management setting to Always.
5 Deselect Connect to Server.
6 Click Apply Now.
Controlling User Access to an iDisk
If users want to connect to an iDisk, they can choose the Go to iDisk command in the
Finder Go menu. If you dont want users to access this menu item, you can hide the
command.
To hide the Go to iDisk command:
5 Deselect Go to iDisk.
6 Click Apply Now.
Preventing Users from Ejecting Discs
lf you don't want users to be able to e|ect discs (for example, C0s, 0v0s, oppy disks,
or FireWire drives), you can hide the Eject command in the Finder File menu.
To hide the Eject command:
5 Deselect Eject.
6 Click Apply Now.
Hiding the Burn Disc Command in the Finder
On computers with relevant hardware, users can burn discs (write information to
recordable CDs or DVDs). If you dont want users to have this ability, you can hide the
Burn Disc command in the Finder File menu.
To prevent users from using or burning recordable CDs or DVDs, use settings
in the Media Access panes. For more information, see Managing Media Access
Only computers with a CD-RW drive, Combo Drive, or SuperDrive can burn CDs. The
Burn Disc command works only with CD-R, CD-RW, or DVD-R discs. Only a SuperDrive
can burn DVD-R discs.
To hide the Burn Disc command:
5 Deselect Burn Disc.
6 Click Apply Now.
Controlling User Access to Folders
Users can open a speci6c folder by choosing the "Co to lolder' command in the linder
Go menu and providing the folders pathname. If you dont want users to have this
ability, you can hide the command.
To hide the Go to Folder command:
5 Deselect Go to Folder.
6 Click Apply Now.
Removing Restart and Shut Down from the Apple Menu
If you dont want to allow users to restart or shut down the computer theyre using,
you can remove the Restart and Shut Down commands from the Apple menu.
To hide the Restart and Shut Down commands:
5 Deselect Restart and Shut Down.
6 Click Apply Now.
As an additional preventive measure, you can remove the Restart and Shut Down
buttons from the login window by using settings in Login preferences. For instructions,
see Changing the Appearance of the Login Window on page 202.
Adjusting the Appearance and Arrangement of Desktop Items
Items on a users desktop appear as icons. You can control the size of desktop icons
and how theyre arranged.
To set preferences for the desktop view:
4 Click Finder, click Views, and then select a management setting.
The management setting applies to options in all three views.
5 Click Desktop View and then drag the Icon Size slider to adjust the icon size.
6 To keep items aligned in rows and columns, select Snap to grid.
7 To arrange items by criteria such as name or type (for example, all folders grouped
together), select Keep arranged by and then choose a method from the pop-up
menu.
8 Click Apply Now.
Adjusting the Appearance of Finder Window Contents
Items in Finder windows can be viewed in a list or as icons. You can control aspects of
how these items look, as well as whether to show the toolbar in a Finder window.
Default View settings control the overall appearance of all Finder windows. Computer
View settings control the view for the top-level computer folder, showing hard disks
and disk partitions, external hard drives, mounted volumes, and removable media
(such as CDs or DVDs).
To set preferences for Default and Computer Views:
4 Click Finder, click Views, and then set the management setting to Once or Always.
This setting applies to options in all three views.
5 Click Default View or Computer View.
Available settings are similar for both views.
6 Drag the Icon Size slider to adjust the icon size.
7 To keep icons aligned in rows and columns, select Snap to grid.
Arranging icons in a grid prevents icons from overlapping.
8 To sort icons, select Keep arranged by and then choose a method from the pop-up
menu.
ou can arrange items by name, creation or modi6cation date, size, or kind (for
example, all folders grouped together).
9 Adjust List View settings.
lf you select "Use relative dates,' an item's creation or modi6cation date appears as
Today instead of 3/24/09.
If you select Calculate folder sizes, the computer calculates the total size of each
folder shown in a Finder window. This can take some time if a folder is very large.
10 Select a size for icons in a list.
11 Click Apply Now.
Managing Login Preferences
Use Login preferences to set options for user login, to provide password hints, and
to control the users ability to restart and shut down the computer from the login
window. You can also mount a group volume or set applications to open when a user
logs in.
The table below summarizes what you can do with settings in each Login pane.
Login preference pane What you can control
Window For computers and computer groups only: The
appearance of the login window such as the
heading, message, which users are listed if the
"list of users' is speci6ed, and the ability to restart
or shut down
Options For computers and computer groups only: Login
window options like enabling password hints,
automatic login, console, fast user switching,
inactivity log out, disabling of management,
setting the computer name to match the
computer record, and external account login
Access For computers and computer groups only: Who
can log in, if local users can use workgroup
settings, and the combination and selection of
workgroups
Scripts For computers and computer groups only: Specify a
script to run during login or logout and whether
to execute or disable the client computers
LoginHook or LogoutHook scripts
Items Access to the group volume, which applications
open automatically for the user; and if users can
add or remove login items
Scripts, Login Window, and Options can be managed for computers only, not for users
or groups.
Changing the Appearance of the Login Window
You can easily change the appearance of a computers login window. These settings
include the login windows heading message, which users are listed and how, and the
display of the restart and shut down buttons. These settings apply only to computers
and computer groups.
when you display a list of users, you can choose which types of users to list. lhe e1ect
of these settings depends on the version of Mac OS X installed on client computers.
List setting Mac OS X version 'GEV
Show local users 10.4 Lists local accounts and mobile
accounts with a local home
folder
Show local users 10.5 or later Lists local accounts
Show mobile accounts 10.4 N/A
Show mobile accounts 10.5 or later Lists mobile accounts with a
local home folder and external
accounts
Show network users 10.4 or later Lists network accounts and
mobile accounts without a local
home folder
Show computer administrators 10.4 or later Lists local system administrators
Show Other... 10.4 or later Displays name and password
text 6elds, allowing the user
to authenticate with a local or
network-based account
The directory administrator account is considered a network account, and is therefore
hidden when you dont show network users. Another way to hide this account
would be to set the directory administrator accounts user ID to below 100. For more
information, see Modifying User IDs on page 69.
You can customize the login window to suit your needs.
For example, to test a computers ability to access the directory domain you could
change the heading to Directory status and display a list of network users.
Or, to prevent unauthorized access, you could create a warning message, display the
name and password 6elds (forcing intruders to know a user's name and password),
and disable showing the Restart and Shut Down buttons (to help prevent intruders
from bypassing the login window).
To change the appearance of the Login Window:
4 Click Login and then click Window.
6 To change the default heading, choose a heading from the Heading pop-up menu.
Users can view other headings by clicking the heading in the login window.
7 To display a message below the login windows heading, enter a message in Message.
8 To require the user to enter his or her user name and password, select Name and
password text 6elds.'
9 To allow a user to select his or her name from a list, select List of users able to use
these computers.
10 Select categories of users you want to display in the list:
To ensure that a type of user doesnt show up in the list, deselect the corresponding
setting.
To display mobile accounts on client computers with Mac OS X v10.5 or later, select
Show mobile accounts.
To display mobile accounts on client computers with Mac OS X v10.4 installed, select
Show local users.
To allow unlisted users to log in, select Show Other.
11 To allow the user to restart the computer, select Show Restart button.
If the user has physical access to the computer, he or she can still restart the computer.
12 To allow the user to shut down the computer, select Show Shut Down button.
If the user has physical access to the computer, he or she can still shut down the
computer.
You might also want to remove the Restart and Shut Down commands from the
Finder. For more information, see Managing Finder Preferences on page 194.
13 Click Apply Now.
Conhgurng Msce||aneous Logn Otons
ou can con6gure the following login options that don't change the appearance of
the login window but a1ect how users log in.
Option What this does when enabled
Show password hint when needed and available If the user supplied a password hint and he or
she enters an incorrect password three times, the
password hint appears.
Enable automatic login If the computers local settings enable Automatic
Login, the login window is bypassed when the
computer starts up.
Enable >console login Users can log in using the Darwin console
(command-line interface). To log in to the
console, the user enters >console and no
password in the login window. This allows the
user to bypass management.
Enable Fast User Switching With Fast User Switching, more than one
account is available at the same time on a single
computer.
The list of current active (authenticated) accounts
appears in a menu on the right side of the Finder
menu bar, allowing you to switch to a di1erent
account by choosing it.
A user must authenticate to switch to his or her
account, but the previous user does not need to
log out 6rst.
Log out users after # minutes of activity If a client computer has Mac OS X v10.4 or later,
when the set time interval has passed, the user is
logged out and returned to the login window.
Local administrators may refresh or disable
management
When local administrators log in, they have the
option not to choose a workgroup and to disable
preference management.
Set computer name to computer record name For computers with Mac OS X v10.5 or later: You
can set the computer name. lhis name a1ects
the client computers Bonjour name, which other
computers on the local subnet use to access the
client computer.
The new Bonjour name is name-#.local where
name is the computer record name you specify
and # uniquely identi6es the computer if there
are several computers with the same Bonjour
name.
Enable external accounts For computers with Mac OS X v10.5 or later: Users
can log in using external accounts. If the login
window displays a list of user names, the external
account is listed as a mobile account.
If the login window displays a name and
password 6eld, the user must enter the external
account name and password.
Enable guest account For computers with Mac OS X v10.5 or later: Users
can log in using the guest account. The guest
account allows anyone to access the computer
without requiring a password.
To manage guest users, manage the computers
or computer groups with enabled guest
accounts.
1o conhgure msce||aneous |ogn otons:
4 Click Login and then click Options.
6 Select the options you want to enable and click Apply Now.
Choosing Who Can Log In
Workgroup Manager gives you control over who is allowed to access computers.
You can choose which network users are allowed to log in and whether local users
can log in.
Denying access supersedes allowing access. If you allow computer access to a group
of network users, you can deny access to speci6c members of the group. lowever,
if you deny computer access to a group, you can't allow computer access to speci6c
members of that group.
If you dont list users or groups to allow or deny access to, all network users can log in.
If you add users or groups to the list, only users and groups that are explicitly allowed
access can log in.
Note: A user with an administrator account in a client computers local directory
domain can always log in.
To choose who can log in:
4 Click Login, click Access, and then set the management setting to Always.
5 To control access for all network users, click the Add Network Users (gear) button.
lf you allow access for the letwork Users group, you can prevent access for speci6c
users or groups. All other network users and groups are allowed access.
If you deny access for the Network Users group, all network users and groups are
denied access even if they are speci6cally allowed access in the list.
6 lo control access for speci6c users or groups, click the Add (+) button and then drag
user or group accounts from the drawer to the list.
To switch the drawers display of user accounts to group accounts or vice-versa, click
the Users or Groups button at the top of the drawer.
7 To allow or deny access to a user or group in the Access Control List, choose Allow or
Deny from the Access pop-up menu for that user or group.
8 To allow local users to access the computer, select Local-only users may login.
9 Click Apply Now.
Customizing the Workgroups Displayed at Login
ou can change settings that a1ect how workgroup preferences and other settings
impact a users experience. For example, you can require local users to choose a
workgroup.
This makes the users environment the same as if he or she was a member of
the workgroup. Or, you can con6gure how to handle situations where multiple
workgroups are available for a user.
The following access options control workgroup settings at login.
Local-only users use available workgroup settings For computers with Mac OS X v10.4 or later: Local
users must choose a workgroup when logging
in. The user can choose from all workgroups that
can access the computer. The users environment
is the same as if he or she was a member of the
workgroup.
Ignore workgroup nesting For computers with Mac OS X v10.5 or later: The
user can choose whether to use managed
preferences from a parent group or its child
group. Only the preferences of the chosen group
apply.
When disabled, the preferences of parent and
child groups apply.
Combine available workgroup settings For computers with Mac OS X v10.5 or later: The
users preferences are based on the combination
of preferences from all users workgroups. For
local users, all workgroups that can access the
computer are combined.
When enabled, the user cant select the
workgroup to use.
When disabled, the user can select which
workgroup to use. If the user selects a parent or
child group, the preferences of both apply.
Always show workgroup dialog during login For computers with Mac OS X v10.5 or later: The
dialog displaying all available workgroups
appears even when there are no workgroups
available.
To customize the workgroups displayed at login:
4 Click Login, click Access, and then set the management setting to Always.
5 Select the workgroup settings to enable them.
6 when you 6nish enabling workgroup settings, click Apply low.
To view the workgroup a user selects at login:
1 Connect to the client computer using an account with administrator privileges.
$ ssh admin@computer.name
Replace admin with the short name of the client computers administrator and
computer.name with the IP address or the DNS name of the client computer.
2 Convert the binary com.apple.VC\.plist 6le to \Vl format.
$ sudo plutil -convert xml1 /Library/Managed\ Preferences/shortname/com.
apple.MCX.plist
Replace shortname with the short name of the logged-in client account.
3 View the workgroup key in
/library/Vanaged Preferences/shortname/com.apple.VC\.plist 6le.
$ cat /Library/Managed\ Preferences/shortname/com.apple.MCX.plist
Replace shortname with the short name of the logged-in client account.
Enabling the Use of Login and Logout Scripts
You can use login scripts to perform a set of actions when a user logs in or logs out.
Because login or logout scripts run as root, they are very powerful. Test your scripts to
make sure they don't negatively impact system settings or damage user 6les.
You can add a login script to a computer in two ways:
Add a loginlook script to a speci6c computer
Apply a login script to a computer or computer group using Workgroup Manager
When enabling the use of login and logout scripts, you can set a trust value for the
client. Trust values determine the required level of authentication before a client trusts
a server enough to run its scripts. Most trust values directly correlate to LDAP security
policy settings that are con6gured in 0irectory Utility.
The trust value of DHCP doesnt correlate to a security policy. Instead, it correlates to
whether 0irectory Utility is con6gured to use a 0lCP-supplied l0AP server. lhe trust
value of Authenticated requires that you set up trusted binding to an LDAP directory.
For more information about how to use Directory Utility to enable LDAP security
policies using DHCP-supplied LDAP, or for setting up trusted binding, see Open
The following table lists trust values and requirements. The table is arranged in order
of increasing trust, where the last entry requires the highest level of trust.
Trust value name Requirements
Anonymous None. The client trusts any directory domain
server.
DHCP In Directory Utility, select Add DHCP-supplied
LDAP servers to automatic search policies.
Encryption In Directory Utility, select Encrypt all packets
(requires SSL or Kerberos).
Authenticated Set up trusted binding between the client
computer and the LDAP directory.
PartialTrust In Directory Utility, select Digitally sign all
packets (requires Kerberos). Most Active
Directory nodes support PartialTrust but not
FullTrust.
FullTrust In Directory Utility, select Block man-in-the-
middle attacks (requires Kerberos) and Digitally
sign all packets (requires Kerberos).
To set the minimum required trust level, set the MCXScriptTrust client setting:
If the clients MCXScriptTrust setting is a level of trust equal to or less than the trust
value, the client trusts the server and runs its login and logout scripts.
If the clients MCXScriptTrust setting is a level of trust more than the trust value, the
client doesnt trust the server and doesnt run its scripts.
The default trust value is FullTrust.
To enable the use of login or logout scripts:
1 Log in to the users computer locally or use Apple Remote Desktop.
2 Open the Sharing pane of System Preferences.
3 Click the lock to authenticate, and enter the name of a local or directory administrator.
4 Click Edit.
5 If the local host name contains special nonalphabetic or nonnumeric characters such
as spaces, dashes, and underscores, remove the special characters and then click OK.
For example, change local host names like Anne-Johnsons-Computer to
AnneJohnsonsComputer.
6 Optionally, determine the trust level by entering the following command in Terminal:
dscl localhost -read /LDAPv3/www.apple.com dsAttrTypeStandard:TrustInform
ation
Replace www.apple.com with the address of your LDAP directory. Running this
command displays a line similar to the following:
TrustInformation: Authenticated FullTrust
In this example, the current trust level is FullTrust. The trust level is also Authenticated.
When two trust levels are listed, the higher trust level takes precedence.
7 Set the EnableMCXLoginScripts key in
~root/Library/Preferences/com.apple.loginwindow.plist to TRUE by entering the
following command in Terminal:
sudo defaults write com.apple.loginwindow EnableMCXLoginScripts -bool
TRUE
8 To change the trust value from FullTrust, set the MCXScriptTrust key in
~root/Library/Preferences/com.apple.loginwindow.plist to a valid trust value.
For example, enter the following command in Terminal:
sudo defaults write com.apple.loginwindow MCXScriptTrust -string
PartialTrust
This command sets the trust value to PartialTrust. To set other trust values, replace
PartialTrust with other trust values. If you enter an invalid trust value, the trust value is
reset to FullTrust.
When you enable login and logout scripts or change the trust value, add login
and logout scripts in Workgroup Manager. For more information about how to use
Workgroup Manager to add login and logout scripts, see Choosing a Login or Logout
Script.
Choosing a Login or Logout Script
You can only run login and logout scripts on computers or computer groups. Before
adding scripts, you must enable them using login and logout scripts. If you change the
trust level for client computers running Mac OS X v10.4, re-add your scripts.
For instructions on enabling login and logout scripts on clients and for more
information about trust levels, see Enabling the Use of Login and Logout Scripts on
page 208.
If you run login or logout scripts for computers and computer groups, the script for
the computer is run 6rst, followed by the script for the computer group, starting with
hierarchical groups and ending with parent groups.
You cant run scripts that are larger than 30 KB.
To choose login or logout scripts:
4 Click Login and then click Scripts.
6 Select Login Script or Log-Out Script, then in the dialog that appears, locate your script
and click Open.
7 Click Apply Now.
Automatically Opening Items After a User Logs In
You can simplify the user experience by setting frequently used items such as
applications, folders, or server connections to open when the user logs in. You can
also hide the items to help prevent screen clutter while still making the items easily
accessible.
Items open in the order they appear in Login Items preferences. You specify the order.
The last item opened becomes the active application. For example, if you specify three
items to open (and none are hidden), the user sees the menu bar for the last item
opened. If an application has open windows, the windows might overlap windows
from other applications.
A user can stop login items from opening by holding down the Shift key during login
until the linder appears on the desktop. ou can turn o1 this feature.
To set an item to open automatically:
4 Click Login and then click Items.
5 Select a management setting.
6 To add an item to the list, click the Add (+) button, select the application, folder, or
server you want to automatically open, and then click Add.
7 For any item you dont want the user to see right away, select its Hide checkbox.
The application remains open but its windows and menu bar remain hidden until the
user activates the application (for example, by clicking its icon in the Dock).
8 To automatically connect the user to a server, select the server and then select
Authenticate selected share point with users login name and password.
The server must use the same directory domain as the one the user logs in to.
9 If you dont want users to have the ability to add and remove items, deselect User may
add and remove additional items.
This option is available only if Login Items preferences are always managed. If you only
manage Login Items preferences Once, a user can remove any items added to the
login list.
Users cant remove items added to the login items list but they can remove items
theyve added themselves.
10 To prevent users from stopping applications that open automatically at login, deselect
User may press Shift to keep items from opening.
This option is available only if Login Items preferences are always managed.
11 If you select Once, you can click Merge with users items.
This produces two results, depending on whether the user has items in their login list.
If the user has items listed in their login list, either by the user adding them or by
having items previously added through preference management, merging only opens
login items that appear on the users list and on your list.
If the users login list does not include items, all managed login items appear.
If you do not select Merge with users items, all login items on either list open.
12 Click Apply Now.
Providing Access to a Users Network Home Folder
Dont provide access to a users network home folder to users with mobile accounts
on Mac OS X v10.4 or later. Mac OS X v10.4 and later include portable home directories,
which provide a synced subset of the users local and network home folders.
lf a user modi6es 6les in the local and network home folders, when the two home
folders sync, the newer modi6cations take precedence, which could surprise and
confuse the user. Additionally, users could be confused by having multiple folders
titled with their user names and similarly named folders like Documents, Music, and
others.
To automatically mount the Network Home:
3 Select a mobile user account in the account list.
6 Select Add network home share point.
7 Click Apply Now.
Providing Easy Access to the Group Share Point
After you set up a group share point, you can make it easy for users to locate group
folders by automatically connecting to the share point at login.
The connection to the group share point uses the user name and password given at
login.
When you manage Finder preferences, you can choose to not show connected servers,
which removes the group volume icon from the desktop.
If you change the location of the group share point, update the login item for the
group in Workgroup Manager.
For information about setting up a group share point, see Creating a Group Folder on
page 112.
Note: This preference setting applies only to groups. You cant manage this setting for
users or computers.
To add a login item for the group share point:
1 If you havent set up a group share point and group folder, do so.
7 Select Add group share point.
8 Select the newly added group share point item.
If you dont want the group share point to appear in the Dock, select the Hide
checkbox.
9 Make sure Mount share point with users name and password is selected.
10 Click Apply Now.
Managing Media Access Preferences
Media Access preferences let you control settings for and access to CDs, DVDs, the
local hard disk, and external disks (for example, oppy disks and lirewire drives).
The table below describes what you can do with the settings in each Media Access
pane.
Media Access preference pane What you can control
Disc Media Settings for CDs, DVDs, and recordable discs (for
example, CD-R,CD-RW, or DVD-R). Computers
without relevant hardware are not a1ected by
these settings.
Other Media Internal hard disks and external disks (other than
CDs or DVDs).
Controlling Access to CDs, DVDs, and Recordable Discs
You can control whether users can play or record CDs or DVDs. However, you cant
deny access to speci6c discs or to speci6c items on a disc.
If a computer has a recordable disc drive, you can control a users ability to burn
discsthat is, to write information on a recordable disc such as a CD-R, CD-RW,
or DVD-R. Users can burn CDs on computers with a CD-RW drive, Combo Drive, or
SuperDrive. Users can burn DVDs only on computers with a SuperDrive.
To control access to disc media:
4 Click Media Access and then set the management setting to Always.
This setting applies to all Media Access preference options.
5 Click Disc Media and select the desired options.
If you select Require Authentication, the user must authenticate as a local
administrator to use the disc media.
before you can select Require Authentication, you must 6rst select Allow.
6 Click Apply Now.
Controlling Access to Hard Drives, Disks, and Disk Images
ou can control access to internal or external disk drives such as oppy disk drives, Zip
drives, USb drives, and lirewire drives. ou can also control access to disk images (6les
with the .dmg extension). If your managed computers use Mac OS X v10.6 or later, you
can control access to DVD-RAM discs.
If you disallow external disks, external disks do not appear in the Finder. If you disallow
disk images, the images are visible in the Finder but users cant open them.
To restrict access to internal and external disks:
4 Click Media Access.
6 Click Other Media and select desired options.
If you select Require Authentication, the user must authenticate as a local
administrator to use the disc media.
If you select Read-Only, users can view the contents of a disk but cant change it or
save 6les on it.
Before you can select Require Authentication or Read-Only, you must select Allow.
7 Click Apply Now.
Ejecting Removable Media Automatically When a User Logs Out
If you allow users to access CDs, DVDs, or external disks such as Zip disks or FireWire
drives on shared computers, you can automatically eject removable media when a
user logs out.
To automatically eject removable media:
4 Click Media Access.
6 In Disc Media or Other Media, select Eject all removable media at logout.
7 Click Apply Now.
Managing Mobility Preferences
You can automatically create mobile accounts for users during their next login.
If your computers use Mac OS X v10.5 or later, you can also encrypt the contents of the
mobile accounts portable home directory, restrict its size, choose its location, or set an
expiration date on the account.
The table below describes what you can do with the settings in each Mobility pane.
Mobility preference pane What you can control
Account Creation Whether to create mobile accounts when users
log in and whether to encrypt contents of the
portable home directory, restrict its size, or
choose a di1erent location for it
Account Expiry Whether to delete mobile accounts and how
soon to do so after the users next login
Rules The folders you want to sync at login and logout
(or in the background) and how frequently to
sync folders in the background
For planning information and other considerations for mobile accounts, see
Chapter 8, Managing Portable Computers.
Creating a Mobile Account
You can use Workgroup Manager to create a mobile account when a user logs in. If
you dont enable the creation of mobile accounts, the user logs in using a network
account. When you enable mobile accounts, a local home folder is created for the user
at 6rst login.
When the users local home folder is created, its based on a template stored on the
local computer. The users network home folder is based on a template stored on the
server hosting home folders.
When you modify these templates, you change the users default home folder
structure and content, and you can modify the ~/Library folder, allowing you to set
default bookmarks and application preferences.
You can choose whether local and network home folders initially sync, in which case
the network home folder replaces the local home folder.
You must authenticate as root to change the template stored in
/System/Library/User Template/language.lproj. Replace language with the language
used on the client computer, such as English.
Note: When a mobile account is enabled, it appears in the login window and in the
Accounts pane of System Preferences with the label Mobile. When the account is
selected in the Accounts pane, some settings might appear dimmed.
To create a mobile account using Workgroup Manager:
3 Select a user account, group account, computer, or computer group.
When users log in to a workgroup with mobile-account creation enabled, they are
given individual mobile accounts. Similarly, if you enable mobile accounts for a
computer or a computer group, when users log in using the computer or a computer
in the computer group, users are given individual mobile accounts for that computer.
4 Click Mobility, click Account Creation, and then click Creation.
6 Select Create mobile account when user logs in to network account.
7 If you want the user to decide whether to enable a mobile account at login, select
"Require con6rmation before creating mobile account.'
lf this option is selected, the user sees a con6rmation when logging in. lhe user can
click Create Now to create a local home folder and enable the mobile account, click
Dont Create to log in as a network user without enabling the mobile account, or click
Cancel Login to return to the login window.
lf you select "Show '0on't ask me again' checkbox,' the dialog allows the user to
prevent the display of the dialog on that computer. If the user selects Dont ask me
again and then clicks Dont Create, he or she isnt asked to create a mobile account
on that computer. The user can hold down the Option key during login to redisplay
the dialog.
8 To initially sync local and network homes so that the network home folder replaces the
local home folder, select Create home using network home and default sync settings.
To create the local home folder using the local home template, select Create home
using local home template.
If you sync the local and network homes folders, the default Mac OS X sync settings
(those in the Accounts pane of System Preferences) are enabled. If you create the local
home folder using the local home template, the default Mac OS X sync settings are
disabled. In both cases, managed sync settings apply.
9 Click Apply Now.
Changes are applied to a mobile account the next time the computer connects to the
network.
Preventing the Creation of a Mobile Account
To prevent the creation of mobile accounts, manage Mobility preferences.
After a user creates a mobile account, the local home folder for that account stays on
the computer until its deleted. You can delete local home folders to save disk space,
or you can set an expiration period on the mobile account so local home folders are
deleted when the account expires.
For instructions, see Manually Removing Mobile Accounts from Computers on
page 218, and Setting Expiration Periods for Mobile Accounts on page 224.
To prevent the creation of mobile accounts:
6 Deselect Create mobile account when user logs in to network account.
7 Click Apply Now.
Manually Removing Mobile Accounts from Computers
If a user no longer requires a mobile account, you can delete the account. When you
delete the account, you can also delete or archive the users local home folder.
To delete a mobile account, you must log in to the computer using an account
other than the mobile account. You must also know the name and password of an
administrator account on the computer.
If you want to use Workgroup Manager to remove the mobile account remotely, you
can set a null expiration period for the account. By doing so, you remove the mobile
account from all computers. For more information, see Setting Expiration Periods for
Mobile Accounts on page 224.
To remove a mobile account:
1 On the client computer, log in using a di1erent account from the one you're removing
the mobile account of.
2 Open System Preferences.
3 Click Accounts and then click the lock and authenticate as the local administrator.
4 To list all accounts, click the Other Accounts disclosure triangle and then select the
mobile account you want to remove.
The mobile account should have the word Mobile listed.
5 Click the Delete () button.
6 Choose one of the following home folder options and then click OK.
Option 'GEV
Save the home folder in a disk image Removes a user account from the local directory
domain but preserves the local home folder in
/Users/username.dmg, where username is the
short name of the deleted user.
Do not change the home folder Removes a user account from the local directory
domain but preserves the local home folder in
/Users as username (Deleted), where username is
the short name of the deleted user.
Delete the home folder Removes a user account from the local directory
domain and permanently deletes the users home
folders.
Enabling FileVault for Mobile Accounts
If your users have computers with Mac OS X v10.5 or later installed, you can use
FileVault to encrypt the local home folders for their mobile accounts.
FileVault encrypts the users local home folder using the Advanced Encryption
Standard with 128-bit keys (AES-128). The home folder content is safe even if the users
computer is stolen or if an intruder attempts to use the computer while the user is not
logged in.
The users login password is used to decrypt and give the user access to his or her
FileVault-protected account. If the user forgets the login password and a computer
administrator has set a master password, the administrator can use the master
password to unlock all local accounts.
You can choose whether to require master passwords when enabling FileVault
protection for mobile accounts:
If you dont require a master password and there is no master password, local
computer administrators cant unlock the account.
If you require a master password and there is no master password, the user cant
enable a mobile account.
lf you select "Require con6rmation before creating mobile account,' the user can
log in with a network account. Network accounts dont have local home folders
(preventing intruders from accessing home folder content).
If you enable FileVault, you can restrict the size of the local home folder. When you set
a network home disk quota (in the Home pane of a user account), it limits the amount
of space available for the users network home folder.
By restricting the size of the local home folder, you prevent the users local home
folder from using more space than is available in the users network home folder. This
ensures that the home folders can sync without requiring more space than is available
in the network home folder.
Additionally, if you make the maximum size of the local home folder smaller than the
network home disk quota, you can provide more exibility for handling 6les with sync
conicts.
If a mobile account is protected with FileVault, the user must be logged in to share
6les using lile Sharing.
To enable FileVault for mobile accounts:
You must select this option to enable a mobile account for the selected account.
7 To allow the user to choose not to create a local home folder (so that instead of a
mobile account, the user logs in with a network account), select "Require con6rmation
before creating mobile account.
If you require a master password but the user logs in to computers without master
passwords set, selecting this allows the user to log in with a network account.
8 Click Options.
9 Select Encrypt contents with FileVault, then select Use master password, if available
or Require computer master password.
If you select Use master password, if available, the mobile account uses FileVault
regardless of whether there is a master password already set.
If you select Require computer master password and there is no master password set,
the user might be able to log in with a network account, depending on whether you
selected "Require con6rmation before creating mobile account' in the Creation pane.
10 lo restrict the size of the local home folder, select "Restrict size' and select "to 6xed
size or to percentage of network home quota; then enter a value that is less than the
size of your network home folders disk quota.
lf you didn't set a disk quota, select "to 6xed size.'
For more information about setting a disk quota, see Creating a Network Home
Folder on page 134.
11 Click Apply Now.
Selecting the Location of a Mobile Account
You can select the location of a mobile accounts local home folder or you can let the
user select the location. If you select the location, choose from one of the following.
Home folder location Description
on startup volume The local home folder is located on the startup
volume in /Users/. This is the default location
where the local home folders of mobile accounts
on computers with Mac OS X v10.4 and earlier are
stored.
at path The local home folder is located at the path you
specify.
ou can specify a di1erent volume by entering
/Volumes/DriveName/Folder/, where DriveName is
the name of the volume, and Folder is the folder
in the volume.
If you dont specify a volume, the location is on
the startup volume.
user chooses When users with mobile accounts log in, a
window appears that allows them to choose
a location for the local home folder. After they
choose a location, the window only appears
when a mobile account is being created.
You can choose which types of volumes the user
is allowed to choose from:
any volume includes volumes on internal or

external hard disks
any internal volume includes volumes on

internal hard disks
any external volume includes volumes on

external hard disks
lf you choose a location at a speci6c path, make sure the folder has the following
permissions.
Type Name Privilege
Owner system Read & Write
Group admin Read only
Others Others Read only
If you choose a location that doesnt exist on the users computer, it is created when
the user logs in.
When a location is chosen on an external disk, you create an external account. For
more information, see Creating External Accounts on page 222.
To select the location of a mobile account:
4 Click Mobility, click Account Creation, click Creation, and then set the management
setting to Always.
6 Click Options and then set the management setting to Always.
7 Select a Home folder location option.
If you select at path, enter the path to a folder on an external drive in the format
/Volumes/DriveName/Folder, replacing DriveName with the name of the external
drive and Folder with a folder on the external drive. If you dont specify a volume, the
location is on the startup volume.
If you select user chooses, choose a type of volume from the pop-up menu to allow
the user to store his or her local home folder on that type of volume.
8 Click Apply Now.
Creating External Accounts
An external account is a mobile account where the local home folder is stored on an
external drive, allowing the user to access his or her account on any computer with
Mac OS X v10.5 or later.
The users local home folder is stored entirely on the external drive and leaves no
remnants on computers. External accounts also save hard disk space on the computer,
which is especially important if you dont set an account expiration or if many users
create mobile accounts with local home folders on the same computer.
To determine the location of the external account, choose from the following. All of
these ways can be used to set up external accounts:
If you set the location to on startup volume, the mobile account doesnt
immediately become an external account. After creating the local home folder, if the
user starts target disk mode on the computer and connects it to a client computer,
the mobile account then becomes an external account.
If you set the location to at path, you can enter the path for the mobile accounts
local home folder. If you enter a path for an external drive, a local home folder is
created on the external drive after the user logs in.
If you set the location to user chooses volume, when the user logs in, a window
appears allowing the user to choose whether to store the local home folder on the
computer or on an external drive. If the user chooses an external drive, a local home
folder is created on the external drive.
To create an external account:
4 Click Mobility, click Account Creation, click Creation, and then set the management
setting to Always.
7 For the home folder location, select at path, user selects volume, or any volume:
If you select at path, enter the path to a folder on an external drive in the format
/Volumes/DriveName/Folders, replacing DriveName with the name of the external
drive and Folders with a folder on the external drive.
If you select user selects volume, choose any external volume or any volume
from the pop-up menu. After authenticating at the login window, the user is
prompted to choose a location.
If you select any volume, the user can choose either on the local hard disk or on the
external hard disk. If the user chooses the external hard disk, the local home folder is
stored in /Users/ShortName, where ShortName is the users short name.
8 Click Apply Now.
Setting Expiration Periods for Mobile Accounts
When a user enables a mobile account, Mac OS X usually creates a local home folder
on the computer he or she is using. If that user enables mobile accounts on several
computers, each of those computers has a local home folder for the user. If the user
doesnt use those computers, the local home folders are unused and waste disk space.
When you set an expiration period on a mobile account, the mobile account and its
local home folder are deleted after a period of inactivity.
You can also set an expiration period of 0 to delete the mobile account and its local
home folder as soon as possible. Depending on the account type youre managing, as
soon as possible refers to one of these events:
For users and groups, the mobile account and its local home folder are deleted after
the user logs out.
For computers and computer groups, the mobile account and its local home folder
are deleted the next time the login window appears. This doesnt include when the
login window appears while using fast user switching.
lxpiry settings do not a1ect external accounts.
To set an expiration period:
4 Click Mobility and then click Account Expiry.
6 Select Delete mobile accounts and enter a number of hours, days, or weeks.
7 To wait until after the users mobile account syncs to delete the local home folder,
select Delete only after successful sync.
8 Click Apply Now.
Choosing Folders to Sync
You can use Workgroup Manager to choose which folders to sync at login, logout, in
the background, or manually for users with mobile accounts. You can also choose not
to sync speci6c folders.
There are two types of syncs: preference sync and home sync. Preference sync is used for
preference 6les, which are typically stored in ~/library. lome sync is used for 6les in
the users home folder (~) but not ~/Library.
lhe two syncs di1er in how they handle conict resolution and background syncing.
Sync conicts occur when a 6le changes on the client and the server since the last
sync. For preference syncing, if you have login and logout sync enabled, when users
log in, network 6les override conicting client 6les, but when users log out, client
6les override conicting network 6les. when 6les don't conict, newer 6les override
older 6les regardless of if they're on the server or the client.
when a preference sync occurs in the background, preference 6les sync from the
client to the server but not from the server to the client. lf preference 6les on the
server are newer than preference 6les on the client, the sync can only complete at
login or logout.
Be careful with login and logout syncing. A users login and logout is delayed while
6les are syncing. Using background syncing can also cause users to load outdated 6les
from the network, especially when syncing is set to occur at long intervals.
For considerations when choosing folders to sync and how to sync them, see
Strategies for Syncing Content on page 151.
To choose folders to sync:
3 Select users, groups, computers, or computer groups.
4 Click Mobility, click Rules, and then click Preference Sync or Home Sync.
6 Select Sync at login, Sync at logout, Sync in the background, or Sync manually.
7 Add folders by doing one of the following:
Click Add (+) for the Sync lists and enter the path to the folder you want to sync.
Precede the folder with ~/ to specify the location of the synced folder in the users
home folder. For example, to sync the users Documents folder, enter ~/Documents.
Click Browse (...) for the Sync lists to browse to a folder.
Because you are browsing the computer running Workgroup Manager, you might
choose a folder that is not located in the users account. If you choose a folder that
doesn't exist in the user's account, no 6les are synced.
8 To choose not to sync 6les or folders, use Add (+) or browse (...) buttons to add items
to the Skip items that match any of the following list.
lo 6lter for speci6c items, click the Vatch 6eld entry for any list item.
9 To add synced folders to folders the user selects for syncing, select Merge with users
settings.
If you sync the same folder in Workgroup Manager as the user chooses in the Accounts
pane of System Preferences, merging causes the Workgroup Manager sync settings to
take precedence. If you do not select Merge with users settings, the folders you sync
replace those chosen by the user.
When used with the Once setting, merging with the users settings is useful for adding
folders without disrupting the folders the user has set to sync.
10 Click Apply Now.
Stopping Files from Syncing for a Mobile Account
lo stop a mobile account from syncing 6les, you must manage its login and logout
and background sync rules. If you leave them unmanaged, the users current sync
settings remain in e1ect and the user can choose his or her sync settings in the
Accounts pane of System Preferences.
1o sto h|es from syncng:
4 Click Mobility and then click Rules.
5 Click Login & Logout Sync and then set the management setting to Always.
6 Deselect Sync at login and logout.
7 Click Background Sync and then set the management setting to Always.
8 Deselect Sync in the background.
9 Click Apply Now.
Setting the Background Sync Frequency
You can change the frequency of syncing for background folders. By default,
background folders sync every 20 minutes. You can set frequencies from 5 minutes to
8 hours.
If you set the frequency to a long interval, you run a higher risk of users loading older,
outdated 6les. lf users save 6les and log o1 before the background 6les sync, when
they load the same 6le on another computer, they might get either an older synced
6le or no 6le at all.
To set the frequency for syncing background folders:
4 Click Mobility, click Rules, and then click Background Sync.
Vake sure to select Once or Always and that there are items con6gured to sync in the
background.
6 Click Every and drag the slider to set the frequency for background folder sync.
If you want background folders to sync only when users choose to sync, click Manually.
lhe default frequency is 20 minutes. lhe frequency you set also a1ects folders that
users con6gure to sync automatically.
7 Click Apply Now.
Showing Mobile Account Status in the Users Menu Bar
If mobile account users run Mac OS X v10.5 or later, you can add a mobile account
status menu to their menu bar. This status menu allows the user to do the following:
View when he or she last synced
Initiate a sync
Change their home sync preferences
Home sync preferences correspond to Mobility preferences in Workgroup Manager. If
you manage any Mobility preferences, users cant change those preferences.
Home sync preferences includes the following settings:
Setting the home folder location
Enabling FileVault
Enabling background, login, and logout sync
Selecting what is synced
Setting the sync frequency
Enabling the mobile account status menu
lf you disable the mobile account status menu, the user can still con6gure his or her
mobile account in the Accounts pane of System Preferences.
To show mobile account status in the users menu bar:
4 Click Mobility, click Rules, and then click Options.
6 Select Show status in menu bar.
7 Click Apply Now.
Managing Network Preferences
Use letwork preferences to select and con6gure proxy servers that can be used by
users and groups. ou can bypass proxy settings for speci6c hosts and domains. lhis
has the advantage of providing a customized browsing experience for managed users
and groups.
You can also disable Internet Sharing, AirPort, or Bluetooth. Disabling these can
improve security by removing avenues for attack.
The table below describes what settings in each Network pane can do.
Network preference pane What you can control
Proxies Access to proxy servers, the ability to bypass
proxy settings, and use of passive FTP mode
Sharing & Interfaces Availability of Internet Sharing from the
computer, and use of AirPort or Bluetooth
Conhgurng Proxy Servers by Port
ou can con6gure speci6c types of proxies for a user or group to access and specify
the port. lhe types of proxy servers that are individually modi6able are llP, web
(HTTP), Secure Web (HTTPS), Streaming (RTSP), SOCKS, Gopher, and Automatic Proxy
Con6guration.
You must assign a single server for every type of proxy server (for example, you cant
have multiple FTP proxy servers).
1o conhgure roxy servers for a user or a grou:
4 Click Network and then click Proxies.
6 Select the speci6c type of proxy you want to con6gure (llP, web, and so on).
7 Specify a URL and a port using the form proxyserver.apple.com:8080.
8 Click Apply Now.
A||owng 0sers to 8yass Proxy Servers for Sechc Domans
When managing Network preferences for users, you can allow them to bypass proxy
settings for speci6c hosts or domains. bypassing the proxy server lets users connect
directly to speci6ed addresses.
You must set up a proxy server before you can bypass it. For instructions, see
Con6guring Proxy Servers by Port on page 228.
To choose the domains that users can access directly:
6 ln the "bypass proxy settings for these losts 8 0omains' 6eld, enter the addresses of
the hosts and domains that you want users to be able to connect to directly.
To enter multiple address, separate the subnet masks with new lines, spaces,
semicolons, or commas.
There are several ways to enter addresses:
A subdomain or fully quali6ed domain name (lQ0l) of a target server, such as
server1.apple.com or store.apple.com.
lhe speci6c lP address of a server, such as 192.168.2.1.
A domain name, such as apple.com. This bypasses apple.com but not subdomains
such as store.apple.com.
An entire website including all subdomains, such as *.apple.com.
A subnet in Classless Inter-Domain Routing (CIDR) notation. For example, to add
a subnet of 192.168.2.x, you would name that view 192.168.2.0/24. For a detailed
description of subnet masks and CIDR notation, see Network Services Administration.
7 Click Apply Now.
Enabling Passive FTP Mode
When managing Network preferences, you can require passive FTP mode. Passive FTP
mode causes the FTP server to open a connection to the computer on a dynamically
determined port. lhis can be more convenient for computers but it requires port 6lters
to be properly con6gured on the llP server.
To enable passive FTP mode:
6 Select Use Passive FTP Mode (PASV).
7 Click Apply Now.
Disabling Internet Sharing
Although Internet Sharing is a convenient way for computers to share Internet access,
turning it on can disrupt your network (because it can cause conicts with 0lCP and
NAT services).
To reenable Internet Sharing, you must log in to the computer locally and enable it in
the Sharing pane of System Preferences.
To disable Internet Sharing:
4 Click Network and then click Sharing & Interfaces.
6 Select Disable Internet Sharing.
7 Click Apply Now.
Disabling AirPort
If you disable AirPort, it is disabled the next time a computer retrieves managed
preferences. If the computer had active AirPort connections, they are immediately
disconnected.
To reenable AirPort, you must log in to the computer locally and enable it in the
Network pane of System Preferences.
To disable AirPort:
6 Select Disable AirPort.
7 Click Apply Now.
Disabling Bluetooth
Before disabling Bluetooth, make sure your computers dont rely on Bluetooth-enabled
input devices like keyboards and mice.
To reenable Bluetooth, you must log in to the computer locally and enable it in the
Network pane of System Preferences.
To disable Bluetooth:
6 Select Disable Bluetooth.
7 Click Apply Now.
Managing Parental Controls Preferences
Parental Controls preferences allow you to hide profanity in Dictionary, limit access to
websites, or set time limits or other contraints on computer usage. To manage Parental
Controls preferences, computers must have Mac OS X v10.5 or later.
The table below describes what settings in each Parental Controls pane can do.
Parental Controls preference pane What you can control
Content Filtering Whether profanity is allowed in Dictionary, and
limitations on which websites users can view
Time Limits How long and when users can log in to their
accounts
Hiding Profanity in Dictionary
You can hide profane terms from the Dictionary application included with Mac OS X
v10.5 or later. When you hide profane terms, entirely profane terms are removed
from search results. If you search for a profane term that has an alternate nonprofane
de6nition, 0ictionary only displays the nonprofane de6nition.
To hide profanity in Dictionary:
4 Click Parental Controls and then click Content Filtering.
6 Select Hide profanity in Dictionary.
7 Click Apply Now.
Preventing Access to Adult Websites
You can use Workgroup Manager to help prevent users from visiting adult websites.
ou can also block access to speci6c websites while allowing users to access other
websites. ou can allow or deny access to speci6c subfolders in the same website.
lnstead of preventing access to speci6c websites, you can allow access only to speci6c
websites. For more information, see Allowing Access Only to Speci6c websites on
page 233.
1o revent access to sechc webstes:
6 Select Limit access to websites by and choose trying to limit access to adult
websites.
7 lo allow access to speci6c sites, click the Add (+) button next to the "Always allow sites
at these URLs list and then enter the URL of the site you want to allow.
8 lo block access to speci6c sites, click the Add (+) button next to the "lever allow sites
at these URLs list and then enter the URL of the site you want to block.
To allow or block a site, including all content stored in its subfolders, enter the highest
level URL of the site.
For example, allowing http://www.example.com/ lets the user view all pages in
www.example.com. However, blocking http://www.example.com/banned/ prevents
the user from viewing content stored in www.example.com/banned/, including all
subfolders in /banned/ (but allows the user to view pages in www.example.com that
are not in /banned/).
9 Click Apply Now.
A||owng Access On|y to Sechc Webstes
ou can use workgroup Vanager to allow access only to speci6c websites on
computers with Mac OS X v10.5 or later.
If the user tries to visit a website that he or she is not allowed to access, the web
browser loads a webpage that lists all sites the user is allowed to access.
To help direct users to allowed sites, the users bookmarks are replaced by the websites
you allow access to. The bookmarks created by allowing access to websites are called
managed bookmarks.
lf the user syncs bookmarks with VobileVe, the 6rst time the user syncs he or she
is asked if MobileMe should merge or replace its bookmarks with the managed
bookmarks. If the user merges bookmarks, the MobileMe bookmarks will include
the original MobileMe bookmarks and the managed bookmarks. If the user replaces
bookmarks, the MobileMe bookmarks will include only the managed bookmarks.
ou can also use workgroup Vanager to block speci6c websites instead of blocking all
websites. For more information, see Preventing Access to Adult Websites on page 232.
1o a||ow access on|y to sechc webstes:
6 Select Limit access to websites by and choose allowing access to the following
websites only.
7 Use one of the following methods to add websites that you want to allow access to:
In Safari, open the site and then drag the icon from the address bar (of Safari) to the
list.
In Safari, choose Bookmarks > Show All Bookmarks, then drag icons from the
bookmark list to the list in Workgroup Manager.
lf you have a .webloc 6le of the website you want to allow access to, drag the 6le
into the list.
lf you don't have a .webloc 6le of the website you want to allow access to, click the
Add (+) button and enter the URL of the website you want to allow.
ln the "web site title' 6eld, name the website. ln the Address 6eld, enter the highest
level URL of the site.
For example, allowing http://www.example.com/ lets the user view all pages in
www.example.com. Allowing http://www.example.com/allowed/ lets the user view
content stored in www.example.com/allowed/, including all subfolders in /allowed/,
but not folders located outside of /allowed/.
8 To create folders to organize websites, click the New Folder (folder) button, then
double-click the folder to rename it.
To add URLs within a folder, open the folders disclosure triangle, select the folder, and
then click the Add (+) button.
To create a subfolder, open a folders disclosure triangle, select the folder, and then
click the New Folder (folder) button.
9 To change the name or URL of a website, double-click the website entry; then, to
rename a folder, double-click the folder entry.
10 To rearrange websites or folders, drag the websites or folders within the list.
11 Click Apply Now.
Setting Time Limits and Curfews on Computer Usage
You can use Workgroup Manager to set time limits and curfews for computer usage on
computers with Mac OS X v10.5 or later.
If you set a time limit for computer usage, users who meet their daily time limits cant
log in until the next day when their quota is reset. ou can set di1erent time limits for
weekdays (Monday through Friday) and weekends (Saturday and Sunday). The time
limit can range from 30 minutes to 8 hours.
If you set a curfew, users cant log in during the days and times you specify. If a user
is logged in when their curfew starts, the user is immediately logged out. You can set
di1erent times for weekdays (denying access Sunday nights through lhursday nights)
and weekends (Friday and Saturday nights).
To set time limits and curfews:
4 Click Parental Controls and then click Time Limits.
5 Set the management setting to Always and then select Enforce limits.
6 To set time limits, click Allowances, then under Weekdays or Weekends select Limit
computer use to and drag the slider to the amount of time you want to limit use.
7 To set curfews, click Curfews, select Sunday through Thursday or Friday and
Saturday, and then enter the range of time when you want to prevent computer
access.
You can highlight the time and replace it with a new time, or you can highlight the
time and click the up or down buttons next to the time.
8 Click Apply Now.
Managing Printing Preferences
Use Printing preferences to create printer lists and manage access to printers.
The table below describes what the printing settings do.
Printing preference pane What you can control
Printers Available printers, the users ability to add printers
or access a printer, and the default printer
Footer Customization of the page footer
Making Printers Available to Users
You can set up a managed printer list so that users, groups, or computers have a
speci6c set of network printers available when they print.
The list of printers available to the user is a combination of managed printers for the
user, the group selected at login, and the computer used, and any printers that are add
to the printer list on the users computer. You can restrict the printer list to only show
managed printers.
Printers added using AppleTalk are not supported for client computers running
Mac OS X v10.6.
To create a printer list for users:
4 Click Printing and then click Printers.
6 Click Printer List.
The Available Printers list is created from the list of available network printers in Print &
Fax System Preferences.
7 Select a printer in the Available Printers list and then click Add to make that printer
available in the users printer list.
If the printer you want doesnt appear in the Available Printers list, click Open Printer
Setup and add the printer to the Printer & Fax printer list.
8 To restrict the printer list to only show managed printers, select Only show managed
printers.
9 Click Apply Now.
Preventing Users from Modifying the Printer List
If your users run Mac OS X v10.5, they must authenticate as local administrators to
change the list of printers.
If your users run Mac OS X v10.6 or later or Mac OS X v10.4 or earlier, you can manage
preferences so users dont need to authenticate as local administrators to change the
list of printers.
To restrict access to the printer list:
7 Deselect Allow user to modify the printer list.
8 Click Apply Now.
Restricting Access to Printers Connected to a Computer
ln some situations, you might want only speci6c users to print to a printer connected
directly to their computers.
For example, if you have a computer in a classroom with a printer attached, you can
reserve that printer for teachers by making the teacher an administrator and requiring
an administrators user name and password to access the printer.
1o restrct access to a rnter connected to a sechc comuter:
7 If you want the client computer to have access to a network printer, select the printer
and then click Add to List.
8 If you dont want users to access local printers, deselect Allow printers that connect
directly to the users computer.
9 To require an administrator password to use the printer, select Require an
administrator password.
10 Click Apply Now.
Setting a Default Printer
After you set up a printer list, you can specify a printer as the default printer. When a
user tries to print a document, this printer is the preferred selection in an applications
print dialog.
To set the default printer:
6 Click Access.
7 Select a printer listed in Users Printer List and then click Make Default.
8 Click Apply Now.
Restricting Access to Printers
ou can require an administrator user name and password to print to speci6c printers.
1o restrct access to a sechc rnter:
6 Click Access, select a printer listed in Users Printer List, and then select Require an
administrator password.
7 Click Apply Now.
Adding a Page Footer to All Printouts
Adding page footers to all printouts can help users identify their printouts from other
users printouts. This is especially useful in educational environments where students
might print identical or nearly identical assignments.
The footer appears at the bottom left of the page. It overlays existing printed content.
If your printouts have footers or very small margins, the managed footer might
become garbled.
The footer includes the users long name and the date and time when the user sent
the print job. The date and time is based on the users computers date and time, not
the servers.
The footer can also include the Ethernet ID of the computer that sent the print job.
For example, heres a footer for a user named Anne Johnson:
Anne Johnson Saturday March 3, 2007 5:59:01 PM PT 00:11:22:33:44:55
To add a footer to all printouts:
4 Click Printing and then click Footer.
6 Select Print page footer (user name and date).
7 To print the Ethernet ID, select Include MAC address.
8 Choose a font for the footer from the Font name pop-up menu.
You can choose Helvetica, Courier, Lucida Grande, or Times.
9 Enter a font size for the footer.
There is no font size limit for the footer. However, 7 is the default (and recommended)
size.
10 Click Apply Now.
Managing Software Update Preferences
With Mac OS X Server, you can create a Software Update server to control updates
that are applied to speci6c users or groups. lhis is helpful because it reduces external
network tra1c while also providing more control to server administrators.
by con6guring the Software Update server, server administrators can choose which
updates to provide.
To manage access to Software Update servers:
4 Click Software Update.
6 Specify a URL in the form http://someserver.apple.com:8088/index.sucatalog.
7 Click Apply Now.
Managing Access to System Preferences
You can specify which preferences to show in System Preferences.
If a user can see a preference, it does not mean the user can modify that preference.
Some preferences, such as Startup Disk preferences, require an administrator name
and password before a user can modify its settings.
The preferences that appear in Workgroup Manager are those installed on the
computer youre currently using. If your administrator computer is missing preferences
that you want to disable on client computers, install the applications related to
those preferences or use Workgroup Manager on a computer that includes those
preferences.
To manage access to System Preferences:
4 Click System Preferences.
6 For each item you dont want to appear in a users System Preferences, deselect its
Show checkbox.
To select all Show checkboxes, click Show All. To deselect all Show checkboxes, click
Show None.
7 Click Apply Now.
Managing Time Machine Preferences
Time Machine preferences let you control Time Machine, which provides a backup of
computer data to network servers. Time Machine backs up all computer data, such
as installed applications and their preferences, all local account data, and (optionally)
system 6les. lo use lime Vachine, your computers must run Vac OS \ v10.5 or later.
lo manage lime Vachine, you must run 6le services, such as AlP service. when
managed users log in to Mac OS X, their login name and password are used to
authenticate them with the 6le server.
You can back up a computers startup volume or all local volumes. If users have
network accounts, their data isnt backed up through Time Machine (because their
data is stored on a network server, not locally).
You can enable Time Machine to perform automatic hourly backups. If you dont use
automatic backup, the user can manually back up using Time Machine.
Time Machine is useful for backing up computers with primarily local accounts. It is
also useful if users have administrative control over the computer and can install their
own applications.
You can limit the total backup storage per computer. When you limit total backup
storage for a computer group, the limit applies to each computer in it. If you limit a
computer group to 2 Cb, and the computer group has 6ve members, the computer
group can use up to 10 GB of backup storage. Backup storage is not preallocated, so
the server can run out of space before the computers reach their backup storage limit.
If a user runs out of backup storage, Time Machine stops backing up data. To make
sure Time Machine doesnt run out of space, make the limit larger than the expected
size of the data being backed up, and don't back up system 6les.
ou can save space on the 6le server by not backing up system 6les. System 6les
include 6les that are created when Vac OS \ is installed. lf you don't back up system
6les and system 6les are corrupted, you must use the Vac OS \ Server installation
discs to reinstall Vac OS \ Server. by not backing up system 6les, you speed up the
initial backup but you dont speed up subsequent backups.
To manage Time Machine preferences:
4 Click Time Machine.
6 ln the "backup server' 6eld, enter the URl of the 6le server or share point that will store
Time Machine backups, using the form afp://www.example.com/Backups/.
Replace www.example.com/backups/ with the URl of the 6le server or share point. lhe
location you enter must already exist.
7 To select volumes to back up, select Startup volume only or All local volumes.
8 lo back up system 6les, deselect "Skip system 6les.'
9 To use automatic backup, select Back up automatically.
10 To limit backup storage, select Limit total backup storage to: # MB and replace # with
the number of MB to limit backup storage.
11 Click Apply Now.
Managing Universal Access Preferences
Universal Access settings can help improve the user experience. For example, if a user
has di1culty using a computer or wants to work in a di1erent way, you can choose
settings that enable the user to work more e1ectively.
Using Workgroup Manager, you can set up and manage Universal Access settings for
speci6c workgroups or computers dedicated to users with special needs.
The table below describes what the settings in each Universal Access pane can do.
Universal Access preference pane What you can control
Seeing Visual display and desktop zooming
Hearing Visual alert for users
Keyboard How the keyboard responds to keystrokes and
key combinations
Mouse How the pointer responds, and whether users can
use the numeric keypad instead of a mouse
Options Shortcut key combinations, the use of assistive
devices, and whether the computer reads text in
the Universal Access preference pane
Adjusting the Users Display Settings
The Seeing settings in Universal Access preferences alter the appearance of the screen.
lhe user can easily zoom in or out on the desktop using keyboard shortcuts (speci6c
key combinations). Changing to grayscale or white-on-black display can sometimes
make it easier to read text on the screen.
Note: If display settings are managed Once, users can switch between the zoom or
color options using keyboard shortcuts. If the management setting is Always, users
cant switch between options.
To further customize the users display, you can use Finder Views preferences to control
the size of icons in Finder windows, and use Dock Display preferences to enlarge
or magnify icons in the users Dock. For more information, see Managing Finder
Preferences on page 194 and Managing Dock Preferences on page 186.
If you plan to manage dedicated computers, you might be able to use local Display
System Preferences to change the resolution and number of colors computers use.
After setting the resolution and number of colors, you can prevent changes to the
Display System Preferences by removing Display from the list of available System
Preferences.
For more information, see Managing Access to System Preferences on page 240.
For more information about enabling assistive devices like screen readers, see
Allowing Devices for Users with Special Needs on page 246.
To adjust screen appearance:
4 Click Universal Access.
5 Click Seeing and then select a management setting.
6 lo enable zooming, select "lurn on Zoom', to 6ne-tune zoom settings, click Zoom
Options.
Use the sliders to set a maximum and minimum zoom.
To show a preview area, select Show preview rectangle when zoomed out.
To improve the appearance of zoomed graphics, deselect Smooth images.
7 To change the color scheme to white on black or grayscale, select Switch to and then
select White on Black or Grayscale.
8 Click Apply Now.
Setting a Visual Alert
If users cant hear computer alert sounds (for example, the sound played when new
mail arrives or an error occurs), you can ash the screen as an alternative.
1o set a ashng a|ert:
5 Click Hearing and then select a management setting.
6 Select Flash the screen whenever an alert sound occurs.
7 Click Apply Now.
Adjusting Keyboard Accessibility Options
lf some users have di1culty pressing keys, you can use Sticky Keys or Slow Keys to
help them use the keyboard.
Sticky Keys help users who cant press multiple keys simultaneously. It treats
a sequence of modi6er keys (Shift, Command, Option, and Control) like a key
combination. For example, to press Command-O, users can press Command and
then O.
To hold down a key with multiple keystrokes, users can press the key twice. For
example, pressing Shift twice is like using Caps Lock, except that it also presses Shift
when entering commands. So if youve pressed Shift twice, and you press Command
and then O, its the same as pressing Shift-Command-O (because using Caps Lock
instead of pressing Shift twice is like pressing Command-O). Pressing Shift a third time
removes the Shift key from the current key combination.
If you set up Sticky Keys, you can make them more useful by enabling these options:
Option 'GEV
beep when a modi6er key is set Setting and holding a modi6er key makes distinct
typewriter sounds. Removing a key from the
current key combination doesnt create a sound.
Display pressed keys onscreen when a modi6er key is pressed, a silhouette
of the modi6er key is shown onscreen. lf the
modi6er key is only active for a single press, its
silhouette is dim. lf the modi6er key is in held-
down mode, its silhouette is bright.
Slow Keys help users who press keys for too long or accidentally press keys. If you
enable Slow Keys, you can set a delay when a key is accepted. If the user presses a key
for less time than the acceptance delay, the keystroke isnt accepted.
To help users recognize when their keystrokes are accepted, enable the Use click
sounds' option to play a sound when the user initially presses a key and a di1erent
sound when the key is accepted.
Note: lf you enable Universal Access Shortcuts, a user can press the Shift key 6ve times
to turn Sticky Keys on or o1. lor more information, see "Enabling Universal Access
Shortcuts on page 246.
To set the way the keyboard responds to keystrokes:
5 Click Keyboard and then select a management setting.
6 To activate Sticky Keys, select Sticky Keys On.
lo turn o1 the key-combination alert, deselect "beep when a modi6er key is set.'
lo turn o1 onscreen display of keystrokes, deselect "Show pressed keys on screen.'
7 To activate Slow Keys, select Slow Keys On.
If you dont want audio feedback during keystrokes, deselect Use click key sounds.
Move the slider to adjust the amount of delay between when a key is pressed and
when the computer accepts it.
8 Click Apply Now.
Adjusting Mouse and Pointer Responsiveness
If some users cant use a mouse (or prefer not to), the Mouse Keys feature allows
them to use the numeric keypad instead. Keys on the numeric keypad correspond to
directions and mouse actions so the user can move the pointer and hold, release, or
click.
Note: lf you enable Universal Access Shortcuts, a user can press the Option key 6ve
times to turn Vouse Keys on or o1.
If the pointer moves too quickly for some users, you can adjust how soon the pointer
begins to move and how fast it moves.
To control mouse and pointer settings:
5 Click Mouse and then select a management setting.
6 To activate Mouse Keys, select Mouse Keys On.
7 To control how long it takes for the pointer to begin moving, adjust the Initial Delay
slider.
8 To control how fast the pointer moves, adjust the Maximum Speed slider.
9 Click Apply Now.
Enabling Universal Access Shortcuts
Universal Access Shortcuts are key combinations that activate an available access
feature, such as onscreen zooming or enabling Sticky Keys.
If you choose not to allow Universal Access shortcuts, users might not be able to use
features such as Zoom or turn o1 activated features such as Sticky Keys.
To allow Universal Access Shortcuts:
5 Click Options and then set the management setting to Once or Always.
6 Select Allow Universal Access Shortcuts.
7 Click Apply Now.
Allowing Devices for Users with Special Needs
You can allow managed users to turn on assistive devices, such as a text reader.
To allow assistive devices:
5 Click Options and set the management setting to Always.
6 Select Enable access for assistive devices.
7 Click Apply Now.
Using the Preference Editor with Preference Manifests
Workgroup Manager includes a preference editor, which you can use to control any
Mac OS X application or utility developed using Apple standard conventions for
handling preferences.
ou can also use it to manage preferences that are not con6gurable in the workgroup
Manager main preferences interface.
As with the main preferences interface, you can use the preference editor to manage
preferences for users, groups, computers, and computer groups.
For example, in Safari you can disable JavaScript by setting the JavaScript Enabled key
to false. If you save this key in the Often group, the user can enable JavaScript during
their current login session but JavaScript is disabled when the user logs out and logs
in again.
Some application developers provide preference manifests. A preference manifest
simpli6es modi6cation of preferences by providing names and descriptions of keys
that are honored by an application, and tells you how to set them.
Preference manifests are similar to templates. Theyre not required, so you can edit the
preference key value of an application even if it doesnt provide a preference manifest.
lor applications without preference manifests, you can import a preference 6le from
~/library/Preferences, or you can import the application (and its preference 6le is
found automatically).
Preference manifests can be stored in an application package (a 6le ending with
.manifest, such as com.apple.Safari.manifest, in the packages /Contents/Resources/
folder), or they can be standalone 6les. lf manifests exist for an application, the
preference editor loads them when you add the application to the preference
editors list.
When you import preferences for an application, keys and values are added based on
the application's currently set preferences. lhis lets you apply your own con6guration
of applications to users applications.
You can add, remove, or edit keys, but some keys might not be well described if the
application doesnt have a preference manifest or if the key youre editing isnt in the
preference manifest.
Adding to the Preference Editors List
Before you can manage an application in the preference editor, you must add
the application or the application's preference 6le to the preference editor's list.
lhe application's preference 6le is in ~/library/Preferences/.
You can manage any application that uses Mac OS X preferences. To do this
you must set preferences for a local copy of that application stored on the
administration computer. lhen you can add the .plist 6le for the application stored in
~/Library/Preferences/ to the preference editors list.
You can also import application preferences when you add the application to the
preference editors list.
When you use your own application preferences, you can choose the management
frequency applied to those preferences:
Frequency Description
Once Similar to the Once setting in the main interface.
Sets a preference but allows the user to change
that preference and retain his or her changes.
Often Only available in the preference editor. Allows
users to modify their preferences but the
preferences revert to your managed setting every
time the user begins a new session.
Always Similar to the Always setting in the main
interface. Sets a preference and usually does not
allow the user to modify the preference.
Some applications use bylost preferences. lhese preferences apply to a speci6c user
for a speci6c computer. lor example, if a network user sets screen saver preferences,
they are saved as ByHost preferences. The users screen saver preferences are saved for
the current computer but are not applied when the user uses other computers.
If users typically run Mac OS X v10.5 or later, its usually a good idea to import
preferences as ByHost preferences. If users typically run earlier versions of Mac OS X,
dont import preferences as ByHost preferences.
Some applications use but dont properly respect ByHost preferences. Test your
settings with Import as ByHost preferences selected and deselected to see if the
application youre managing respects ByHost preferences.
To add to the preference editors list:
1 In Workgroup Manager, click Preferences and then click Details.
4 Click the Add (+) button.
5 Select an application in /Applications, or a .plist 6le located in ~/library/Preferences/.
Applications without preference manifests appear in italics.
6 If youve selected an application and set preferences for it, you can select Import my
preferences for this application.
7 Choose a management setting from the Manage imported preferences pop-up
menu.
lf you've selected a preference 6le located in ~/library/Preferences/bylost and you've
chosen Once or Often from the Manage imported preferences pop-up menu, you can
select Import as ByHost preferences.
8 Click Add.
9 If youre asked to replace the manifest, click Replace to replace the manifest.
Replacing the manifest changes the underlying manifest 6le for the application but it
doesnt change existing managed preferences.
10 If youre asked to replace the managed preferences, click Replace to remove existing
managed preferences and replace them with preferences from the application youre
adding.
Editing Application Preferences with the Preference Editor
You can use the Workgroup Manager preference editor to edit and manage
application-speci6c preferences.
An application that follows Apple standard conventions for handling preferences will
respect the settings in a preference manifest. For applications without preference
manifests, test your settings to make sure they produce the desired results.
Before using the preference editor to manage application preferences, add the
application or its preference 6le to the preference editor's list. lor instructions, see
Adding to the Preference Editors List on page 248.
The preference editor divides keys by management frequency, as described below.
Frequency Description
Once Similar to the Once setting in the main interface.
Sets a preference but allows the user to change
that preference and retain his or her changes.
Often Only available in the preference editor. Allows
users to modify their preferences but the
preferences revert to your managed setting when
a user begins a new session.
Always Similar to the Always setting in the main
interface. Sets a preference and usually does not
allow the user to modify the preference.
Note: Always might still allow users to modify preferences. For this reason, Often is
usually a better choice for making persistent preference changes.
Important: When you add or modify keys, always test the additions or changes to
make sure they work as expected.
To edit application preferences:
4 Select an item in the list and click the Edit (pencil) button.
5 To locate the keys you want to change, click the disclosure triangles.
6 lo add a key to the application's preferences 6le, click the disclosure triangle for the
frequency, select the frequency, click New Key, click the New Item entry that is created,
and choose a key from the pop-up menu, or choose Edit and enter a new key.
If you dont click the disclosure triangle and select the frequency, the New Key button
is deactivated.
7 To change the keys current settings, click the keys type or value.
If you change the type to a setting that is not by default enabled by the preference
manifest, the preference 6le editing screen indicates the mismatch with an arrow icon.
This does not prevent you from changing the key type or value.
8 Click Apply Now and then click Done.
Removing an Applications Managed Preferences in the Preference
Editor
You can remove all managed preferences for any entry in the preference editors list.
If you added an application without a preference manifest, the application is also
removed from the preference editors list when you remove all of its managed
preferences.
This action does not delete an applications preference manifest or the applications
preferences 6le. lo remove all preference manifests from workgroup Vanager, close
Workgroup Manager and delete ~/Library/Preferences/com.apple.mcx.manifests.
To disable management of an applications preferences:
4 Select an entry with managed preferences.
Entries with managed preferences are noted by a cursor icon in the left column.
This can only be done one entry at a time.
5 Click the Remove (-) button and then click Remove in the con6rmation dialog.
Using the Preference Editor to Manage Core Services
You can add several important manifests by adding a single core services bundle.
These manifests allow management of many features that are unavailable through the
main preference editing interface.
For example, you can disable Bluetooth, lock iTunes parental controls, and set the
license number and registration key for all iwork '08 installations.
Core service manifests include:
Manifest Examples of things you can change
Bluetooth Enable or disable Bluetooth.
Dashboard Enable or disable Dashboard.
Desktop Picture Set the Desktop background image.
Dock Customize how the Dock looks.
Folder Redirection Save cached 6les to /tmp on the local computer.
lhis can reduce network tra1c. ou can't redirect
folders to a network location.
Home Sync Fine-tune mobility settings, such as how to
resolve conicts.
iCal Change iCal settings such as Kerberos usage, SSL
usage, and refresh intervals.
iChat Change iChat settings such as account name and
info, and SSL and Kerberos usage.
lnternet Con6guration Change Internet settings such as the mail server,
mail information, default web browser, and
default mail application.
iTunes Set iTunes parental controls and enable or disable
podcasts and music sharing.
iWork Registration Set iwork '08 registration information.
Kerberos Login Set Kerberos name and realm.
Menu Extras Add nonstandard menus to the menu bar.
Mobile Account & Other Options Change mobile account settings like FileVault
use, enable sync encryption, set mobile account
lifetime, and customize the mobile account
creation dialog.
Quicktime Pro Key Set QuickTime registration information.
Screen Saver Set screen saver settings.
Sidebar Add custom locations such as /Users/Shared/ to
the sidebar in Finder.
Sleep & Screen Saver Password Enable or disable screen saver passwords.
VPN Settings Change VPN settings such as VPN server
information, login name, and authentication type.
By default, these manifests dont show keys. You must click the disclosure triangle next
to the frequency, select the frequency, and then click New Key. When you click the
name of the new key, youll see all available keys for that frequency.
Some keys only work with speci6c management frequencies. lor example, you can
only enable Disable Bluetooth by adding a new key with the frequency Always.
To add the core services bundle to the preference editor list:
4 Click the Add (+) button.
5 Select /System/Library/CoreServices/ManagedClient.app and click Add.
Using the Preference Editor to Manage Safari
Safari is a good example of an application that can be managed by editing its
preference manifest.
lhe Safari version included with Vac OS \ v10.5 or later is more con6gurable than
previous versions of Safari. lt includes more than 30 con6gurable preferences,
including:
Home Page
Default Font
Command-Click Makes Tabs
AutoFill Passwords
AutoFill Credit Cards
Java Enabled
JavaScript Enabled
Ask Before Submitting Insecure Forms
When you add Safari to the preference editor list, two entries are added. The com.
apple.Safari preference manifest includes most con6gurable preferences, while com.
apple.webloundation includes a con6gurable preference for the cookie acceptance
policy.
By default, these manifests dont show any keys. You must click the disclosure triangle
next to the frequency, then select the frequency and click New Key. When you click the
name of the new key, you see available keys for that frequency.
To add Safari to the preference editor list:
4 Click the Add (+) button, select /Applications/Safari, and then click Add.
The preference manifests included with older versions of Safari dont have as many
con6gurable preferences as the Safari version included with Vac OS \ v10.5 or later.
You can replace old Safari preference manifests by adding the new Safari application,
and then clicking Replace in the dialog that appears.
5 To edit Safari preferences, select Safari (with the Preference ID com.apple.Safari), click
the Edit (pencil) button, and then add keys youd like to manage.
For more information, see Editing Application Preferences with the Preference
Editor on page 249.
Using the Preference Editor to Manage Apple Remote Desktop
You can manage Apple Remote Desktop (also known as Remote Desktop) report
settings for computers or computer groups in the preference editor. You must have
Remote Desktop v3.3 or later installed on your administrator computer.
When you add Remote Desktop to the preference editor list, three preference
manifests are added:
com.apple.ARDAgent Task server white list and reporting cache policy.
lhese settings a1ect the managed computer as a
Remote Desktop client.
com.apple.RemoteDesktop Remote Desktop application preferences such as
restricting features.
lhese settings a1ect the Remote 0esktop
application if it is run on the managed computer.
com.apple.RemoteManagement Advanced Screen Sharing server and multicast
6le copy settings.
lhese settings a1ect the managed computer as a
Remote Desktop client and administrator.
By default, these manifests dont show keys. You must click the disclosure triangle next
to the frequency, then select the frequency and click New Key. When you click the
name of the new key, you see available keys for that frequency.
To add Apple Remote Desktop to the preference editor list:
4 Click the Add (+) button, select /Applications/Remote Desktop, and then click Add.
5 To edit Remote Desktop preferences, select a Remote Desktop entry in the list, click
the Edit (pencil) button, and then add keys youd like to manage.
For more information, see Editing Application Preferences with the Preference
Editor on page 249.
Managing Preferences from the Command Line
To control managed preferences, use managed client extensions with the dscl
command. You can use the mcxquery command to view e1ective managed
preferences for users, workgroups, and computer groups. You can use the mcxrefresh
command to make managed preferences take e1ect immediately, even while a user is
logged in.
Using Managed Client Extensions
Although you can use other dscl commands to control managed preferences, using
managed client command extensions with dscl provides an easier way. You can use
these extensions in interactive or command-line modes.
The dscl command provides the following managed client extensions:
Extension Description
-mcxread Displays the existing values of an managed client
preference key.
-mcxset Sets the value of an managed client preference
key.
-mcxedit Updates the value of an managed client
preference key.
-mcxdelete Removes management for the speci6ed
managed client preference keys.
-mcxexport Same functionality as the -mcxread command,
but stores the output in the speci6ed 6le using
the speci6ed format. lhe resulting 6le can later
be imported using the -mcximport command.
-mcximport Imports the keys and values previously exported
using the -mcxexport command.
-mcxhelp Displays help information for managed client
extensions.
Syntax
These command extensions have the following syntax:
-mcxread recordPath [-v mcxVersion] [-o filePath] [-format {xml | plist |
text}] [appDomain [keyName]]
-mcxset recordPath [-v mcxVersion] appDomain keyName [mcxDomain [keyValue
[UPK]]]
-mcxedit recordPath [-v mcxVersion] appDomain keyPath [keyValue]
-mcxdelete recordPath [-v mcxVersion] [appDomain [keyName]]
-mcxexport recordPath [-o filePath] [-format {xml | plist | text}]
[appDomain [keyName]]
-mcximport recordPath [-d] filePath
-mcxhelp
recordPath The record in the service directory node to be
accessed (for example, /LDAPv3/127.0.0.1/
Users/sam).
This parameter is always required, but if you
are in interactive mode, you can use a period to
represent the current directory.
mcxVersion The version of the key to be retrieved. If you
omit this parameter, the command searches for
version 1 keys.
-format lhe format of the output 6le (\Vl, plist, or text).
optArgs (Optional) One or more options.
appDomain (Optional) An applications domain. For example,
the application domain for the Dock is com.
apple.dock.
keyName (Optional) The name of the managed preference
(for example, familyControlsEnabled,
mcx_emailAddress, and mcx_
defaultWebBrowser).
mcxDomain (Optional) The type of management applied to
the key. Legal values are:
none (not managed)
always
once
often
unset
keyValue (Optional) The new value to be used for a key.
You can specify this parameter using the same
syntax as that of the defaults command.
For more information, see the man page of the
defaults command.
When specifying plist or xml values, enclose
the parameter in single quotes (for example,
(authenticate, eject) and
<real>64.0</real>).
UPK (Optional) The value for the Union Policy Key
(UPK). If present, the UPK must be speci6ed as
a dictionary. The valid keys for the dictionary
include:
mcx_input_key_names or input (single
string or array of strings)
mcx_output_key_names or output (single
string)
mcx_remove_duplicates (boolean)
mcx_union_as_dictionary (boolean)
mcx_replace (boolean)
If mcx_input_key_names or mcx_output_
key_name is omitted, the value of keyName is
used instead.
keyPath (Optional) The path to a sub-plist in an
existing key value. For example, mount-
controls:dvd:1 means the second element
the array with the key dvd the key mount-
controls.
filePath (Optional) lhe location of the output or input 6le.
-d lhe keys found in the import 6le from the record
that should be deleted. This is equivalent to
calling -mcxdelete for every key in the import
6le. lhe value of the key in the import 6le is
ignored.
Example
The following command sets the autohide key in the com.apple.dock domain to a
value of TRUE with always for management.
$ dscl -mcxset /LDAPv3/127.0.0.1/Users/sam com.apple.dock autohide always
-bool 1
The following command removes preference management for the autohide key in the
com.apple.dock domain for the current record:
$ dscl
> cd /LDAPv3/127.0.0.1/Users/sam
/LDAPv3/127.0.0.1/Users/sam > mcxset . com.apple.dock autohide none
The following command displays, in plist format, all keys for all application domains for
the current record:
$ dscl
/LDAPv3/127.0.0.1/Users/sam > mcxread . -format plist = =
The following command changes the autohide key to TRUE, preserving the current
management setting:
$ dscl
/LDAPv3/127.0.0.1/Users/sam > mcxedit . com.apple.dock autohide -boot 1
The following command causes the autohide Dock key to no longer be managed:
$ dscl
/LDAPv3/127.0.0.1/Users/sam > mcxdelete . com.apple.dock autohide
The following command exports the keys in the com.apple.dock domain for the
current record to the /tmp/export.plist 6le.
$ dscl
/LDAPv3/127.0.0.1/Users/sam > mcxexport . -o /tmp/export.plist com.apple.
dock
lhe following command imports the keys in the /tmp/export.plist 6le into the current
directory:
$ dscl
/LDAPv3/127.0.0.1/Users/sam > mcximport . /tmp/export.plist
For more examples, use the mcxhelp extension.
Determnng L6ectve Managed Preferences
ou can use workgroup Vanager to con6gure managed preferences at the user,
workgroup, and computer level. 0etermining the e1ective managed preferences for a
users computer experience is not easy, especially if the managed user is a member of
many managed workgroups and each workgroup is a member of a di1erent computer
group.
lo simplify the process of determining e1ective managed preferences, Vac OS \
Server provides the mcxquery command. You can use this command to determine the
e1ective managed preferences for user, workgroup, or computer group records.
Syntax
$ mcxquery options -user userName -group groupName -computer computerName
options (Optional) Two options for specifying the name
and format of the 6le where the results of the
query (the e1ective managed preferences) are
stored:

-
o fileName. lhe name of the output 6le
(including the path) where the results of
running this command are stored.

-
format {space | tab | xml}: The
format of the output, which can be space-
delimited, tab-delimited, or XML.
userName (Optional) The short name of a user. If you do not
provide the short name for this option or if you
use the equal sign (=), this command uses the
short name of the logged in console user.
groupName (Optional) The short name of a workgroup.
A value of = indicates the workgroup (if any)
chosen for the current login session.
computerName (Optional) The short name of the computer
group, the MAC address of a computer, or the
UUID of the computer. If you do not provide a
value for this option or if you use the equal sign
(=), this command uses the MAC address of the
current computer.
Examples
The following example displays the managed preferences for Sam and stores the
results in \Vl format in the samPrefs.out 6le.
$ mcxquery -o samPrefs.out -user sam
The following example displays the managed preferences for Jane, who is logged
in using the science workgroup from a computer that is a member of the lab1_12
computer group:
$ mcxquery -user jane -group science -computer lab1_12
The following example displays the managed preferences for Jane, who is logged
in using the science workgroup from the computer whose Ethernet MAC address is
11:22:33:44:55:66:
$ mcxquery -user jane -group science -computer 11:22:33:44:55:66
Manually Refreshing Managed Preferences
You can manually refresh managed preferences for a user. If a user is logged out, the
users preferences are refreshed when the user logs in. If the user is logged in, you
must manually refresh managed preferences for the latest changes to apply.
Syntax
$ mcxrefresh [-u 'uid'] [-n 'userName']
uid (Optional) The user ID of the user to be refreshed.
If you do not provide the user ID for this option,
this command uses the logged in console user.
userName (Optional) The short name of a user. If you do
not provide the short name for this option, this
command uses the logged in console user.
Examples
The following examples refresh the managed preferences for a user with the short
name ajohnson, and user ID 1007:
$ mcxquery -uid 1007
$ mcxquery -n 'ajohnson'
261
If you encounter problems as you work with Workgroup
/CPCIGT[QWOC[PFCUQNWVKQPKPVJKUEJCRVGT
If the answer to your question isnt here, try searching Workgroup Manager Help for
new topics. You can also search the Apple Service & Support website for information
and solutions at www.apple.com/support/.
Diagnosing Common Network Issues
Before you try the solutions in this chapter, make sure your network is properly
con6gured.
In particular, test your Network Time Protocol (NTP), Domain Name System (DNS), and
0ynamic lost Con6guration Protocol (0lCP) services.
For more information about NTP, DNS, or DHCP, see Network Services Administration.
Testing Your Networks Time and Time Zones
The many technologies and services in Mac OS X Server rely on having accurate time
settings on all networked computers.
Typically, computers are connected to an NTP server that provides accurate time
settings. You should still check your networked computers time settings using Apple
Remote Desktop (not included with Mac OS X Server). For more information about
Apple Remote Desktop, see www.apple.com/remotedesktop.
You can send the commands in the following procedure using the ssh command.
You can also test and correct a computers time settings in System Preferences. Both
methods allow you to test and correct one computer at a time, but with Apple Remote
Desktop you can test and correct many computers simultaneously.
To test your network computer time and time zones using Apple Remote Desktop:
1 In Apple Remote Desktop, send the following UNIX command to all computers:
sudo systemsetup -gettimezone
11
Solving Problems
Your computers should be set for the same time zone. If not, send the following UNIX
command:
sudo systemsetup -settimezone US/Pacific
Replace u5/|oc|hc with your time zone. For other time zones, see the man page for
systemsetup. For instructions on sending UNIX commands through Apple Remote
Desktop, see the Apple Remote Desktop Administrators Guide.
2 In Apple Remote Desktop, send the following UNIX command to all computers:
sudo systemsetup -gettime
Your computers should have times within a few minutes of each other. If they have a
range of times, send the following UNIX command:
sudo systemsetup -settime current_time
Replace current_time with the current time in 24-hour format, using HH:MM:SS (hour,
minute, second) notation.
Testing Your DNS Service
Your DNS service should allow you to discover a servers domain name when given an
IP address, or to retrieve an IP address when given a domain name. If your computers
cant do these tasks, perform further analysis on your DNS service. For a detailed
description of 0lS and for instructions on con6guring 0lS, see Network Services
Administration.
If you have Apple Remote Desktop installed, you can quickly test your entire network.
In Apple Remote Desktop, create a scanner that displays computers with IP addresses
in the range distributed by your DHCP server. If a computer is turned on, is not in sleep
mode, and is connected to your network, the computer should appear in the scanner.
The scanner displays the IP address given to the computer and the computers host
name. Computers that are not assigned host names by the DNS service are listed
without host names. If a computer is listed and has a valid IP address and host name,
the computer is receiving DHCP and DNS service.
For more information about how to use scanners in Apple Remote Desktop, see the
Apple Remote Desktop Administrators Guide.
If you do not have Apple Remote Desktop installed, you can perform the following
task to test a single computers ability to receive DNS service.
To test DNS on a single computer:
1 On a network computer that is not the server providing DNS service, open Network
Utility.
2 In the Lookup pane of Network Utility, enter the domain name of your Open Directory
master server and click Lookup.
262 Chapter 11 Solving Problems
Chapter 11 Solving Problems 263
The resulting log should have an answer section, which displays the IP address of
your Open Directory master server. If there is no answer section, or if the IP address is
incorrect, perform further analysis on your DNS service.
3 In the Lookup pane of Network Utility, enter the IP address of your Open Directory
master server and click Lookup.
The resulting log should display the domain name of your Open Directory master
server. If the domain name is incorrect, perform further analysis on your DNS service.
Note: Instead of using Network Utility, you can use the dig tool in Terminal. Enter the
following command in Terminal:
dig name_or_address
Replace name_or_address with the domain name or the IP address of your Open
Directory master server. The resulting log should have an answer section with the
correct IP address or domain name.
Testing Your DHCP Service
our 0lCP service should be con6gured to supply enough lP addresses to serve your
network. If a computer does not have a valid IP address, it cant be contacted through
your network. lor a detailed description of 0lCP and for instructions on con6guring
DHCP, see Network Services Administration.
If you have Apple Remote Desktop installed, you can quickly test your entire network.
In Apple Remote Desktop, create a scanner that displays computers with IP addresses
in the range distributed by your DHCP server. If a computer is turned on, is not in sleep
mode, and is connected to your network, the computer should appear in the scanner.
The scanner displays the IP address given to the computer and the computers host
name. Computers that are not assigned host names by DNS are listed without host
names. If a computer is listed and has a valid IP address and host name, the computer
is receiving DHCP and DNS service.
For more information about how to use scanners in Apple Remote Desktop, see the
Apple Remote Desktop Administrators Guide.
If you do not have Apple Remote Desktop installed, you can perform the following
task to test a single computers ability to receive DHCP service.
To test DHCP on a single computer:
1 In Server Admin, click the disclosure triangle at the left of the server providing DHCP
service.
This displays all of the servers services.
2 Select DHCP and click Subnets.
The Subnets pane lists the addresses your DHCP server supplies.
3 On a client computer, open Network Utility, click Info, and then select the network
interface that connects to your network.
If the displayed IP address is not in your range of supplied addresses, the computer is
not receiving an IP address through your DHCP service.
If the IP address is 169.254.x.x, it is a self-assigned IP address. This means your
computer is not receiving DHCP service.
If the IP address is not an assigned address and is not 169.254.x.x, the computer is
receiving DHCP service from a DHCP server other than yours.
Solving Account Problems
Follow the suggestions in this section when problems arise with user and group
account administration.
If You Want to Use Earlier Versions of Workgroup Manager
If you have administrative applications and tools from Mac OS X Server v10.4 or earlier,
do not use them with Mac OS X Server v10.5 or later.
You can use Mac OS X Server v10.6 applications to administer Mac OS X Server v10.4.11
or later.
If You Cant Edit an Account Using Workgroup Manager
Editable domains include the local directory domain, Open Directory domains, and
other read/write directory domains.
Before you can edit an account using Workgroup Manager, authenticate as a directory
administrator. To authenticate, click the lock near the top of the Workgroup Manager
window.
If Users Cant See Their Names in the Login Window
When you upgrade Mac OS X and migrate users to a shared directory on the new
server, some users might not appear in the login window. The login window does not
list system users, but they can still log in by entering their user names and passwords.
The login window lists users depending on how Login preferences are managed. For
more information, see Changing the Appearance of the Login Window on page 202.
If You Cant Unlock an LDAP Directory
To make changes in a directory domain, you must authenticate with the name and
password of a directory administrator. Therefore, to edit an entry in a shared LDAPv3
directory domain, you must authenticate in Workgroup Manager using the name and
password of an administrator account in that LDAPv3 directory domain.
You cant use an administrator account in the computers local directory domain to
authenticate as an administrator of a shared LDAP directory.
If You Cant Modify a Users Open Directory Password
To modify the password of a user whose password type is Open Directory,
you must be an administrator of the directory domain where the users record
resides. In addition, your user account must have a password type of Open Directory.
Setting up an Open Directory master (using Server Assistant or the Open Directory
service settings in Server Admin) creates a directory administrator account with an
Open Directory password. You can use this account to set up other user accounts as
directory administrators with Open Directory passwords.
If You Cant Change a Users Password Type to Open Directory
To change a users password type to Open Directory authentication, you must be an
administrator of the directory domain where the users record resides. In addition,
your user account must be con6gured for Open 0irectory authentication.
When the Open Directory master is set up (using the Open Directory service settings
in Server Admin) the initial user account is a directory administrator account with an
Open Directory password. You can use this account to set up other user accounts as
directory administrators with Open Directory passwords.
If You Cant Assign Server Administrator Privileges
To assign server administrator privileges to a user on a server, connect to the server
in Workgroup Manager and authenticate in the directory domain. Select the users
account (or create an account for the user), and then select User can administer this
server in the Basic pane.
If Users Cant Log In or Authenticate
If a user cant log in or authenticate to his or her account, consider the following to
determine whether the source of the authentication problem is con6guration-related
or due to the password:
Reset the password to a known value and then determine whether there is still a
problem. Try using a 7-bit ASCII password, which is supported by most clients.
Make sure the password contains characters supported by the authentication
protocol. Leading, embedded, and trailing spaces, as well as special characters
(such as pressing Option-8 to form a bullet), are not supported by some protocols.
For example, leading spaces work with POP and AFP, but not IMAP.
Make sure the users keyboard can generate all characters in the users password.
Crypt passwords dont support many authentication methods. To increase the
probability that a users client applications are supported, set the users password
type to Open 0irectory or suggest that the user try a di1erent application.
If the users account resides in a directory domain that is not available, create a user
account in a directory domain that is available.
Make sure the client software encodes the password so it is recognized correctly.
For example, Open Directory recognizes UTF-8 encoded strings, which might not be
sent by some clients.
Make sure the users current application and operating system support the users
password length. For example, Windows applications that use the LAN Manager
authentication method support only 14-character passwords, so a password longer
than 14 characters causes an authentication failure even though Windows service
supports longer passwords.
If you disabled authentication methods for Open Directory or shadow passwords
(such as APOP or LAN Manager) the users applications cant authenticate using the
disabled methods.
After enabling or disabling Open Directory Password Server or shadow password
authentication methods, you might need to reset the users password.
For information about enabling and disabling authentication methods, see Open
For Kerberos troubleshooting tips, see If Users Cant Authenticate Using Single Sign-
On or Kerberos on page 267.
lf a Vac OS v8.1-8.6 computer fails to authenticate for Apple 6le service, the
computers AppleShare Client software might need upgrading:
Mac OS v8.6 computers should use AppleShare Client v3.8.8.
Mac OS v8.18.5 computers should use AppleShare Client v3.8.6.
Vac OS v8.1-8.6 computers that have 6le server volumes mount during startup
should use AppleShare Client v3.8.3 with DHX UAM (User Authentication Module)
installed. DHX UAM is included with the AppleShare Client v3.8.3 installation
software.
If Users Relying on a Password Server Cant Log In
If your network has a server with Mac OS X Server v10.2, it could receive authentication
from an Open Directory password server hosted by another server. If the password
servers computer disconnects from your networkfor example, because you unplug
the cable from the computers Ethernet portusers whose passwords are validated
using the Password Server cant log in because their servers IP address isnt accessible.
Users can log in to Mac OS X Server if you reconnect the password servers computer
to the network. Alternately, while the password server's computer is o1ine, users can
log in with user accounts whose password type is crypt or shadow password.
If Users Cant Log In with Accounts in a Shared Directory Domain
Users cant log in using accounts in a shared directory domain if the server hosting the
directory isnt accessible. A server can become inaccessible due to a problem with the
network, the server software, or the server hardware.
Problems with the server hardware or software a1ect users trying to log in to
Mac OS X computers and users trying to log in to the Windows domain of a Mac OS X
Server primary domain controller (P0C). letwork problems might a1ect some users
but not others, depending on where the network problem is.
Users with mobile user accounts can still log in to the Mac OS X computers they used
previously. Users a1ected by these problems can log in using a local user account
de6ned on the computer, such as the user account created during setup after
installing Mac OS X.
If Users Cant Access Their Home Folders
Make sure users can access the share point where their home folders are located, and
make sure they can access their home folders. Users need Read access to the share
point and Read & Write access to home folders.
If Users Cant Change Their Passwords
Users who have accounts in the servers LDAP directory with a crypt password cant
change passwords after logging in.
These users can change passwords if you use the Advanced pane to change their
accounts User Password Type setting to Open Directory. When you make this change,
you must also enter a new password. Then you must instruct users to log in using this
new password and have them change it in the Accounts pane of System Preferences.
If Users Cant Authenticate Using Single Sign-On or Kerberos
lhere are several ways to remedy Kerberos authentication failures. ou can 6nd these
solutions, as well as a full description of how to recon6gure a server's computer record
for single sign-on and Kerberos authentication, in Open Directory Administration.
If You Cant Set User Wiki and Blog Settings
In Mac OS X Server v10.6 and later, users can create and manage their own wikis
and blogs live on the wiki server. These wikis and blogs are no longer tied to Open
Directory groups. Users can freely create wikis and assign access to people who arent
in Open Directory groups. Because users can create and manage their own wikis and
blogs live, you cant create wikis and blogs for users in Workgroup Manager.
You can choose which users and groups are allowed to create wikis and blogs in
Server Admin. For more information, see Wiki Services Administration.
Solving Problems with a Primary or Backup Domain
Controller
Problems with a primary domain controller (PDC) or backup domain controller (BDC)
can have several causes.
If a Windows User Cant Log in to the Windows Domain
Verify the following:
Make sure the user account has a password type of Open Directory.
Make sure the workstation has joined the Windows domain of Mac OS X Server.
If a Windows User Has No Home Folder
If a users home folder isnt mounted in Windows, verify the following:
Make sure the correct home folder location is selected in the Home pane of
Workgroup Manager.
Make sure the home folder path is correct in the Windows pane of Workgroup
Vanager. lt should be blank to use the home folder speci6ed in the lome pane.
Using Server Admin, connect to the server where the users home folder resides.
In the Servers list, select SMB, click Advanced, and then make sure Enable virtual
share points is selected.
lf the drive letter chosen for the user conicts with a drive letter that's in use on
the Windows workstation, change the drive letter setting in the Windows pane of
Workgroup Manager or the mappings of other drive letters on the workstation.
|f a Wndows 0ser's Proh|e Settngs kevert to Defau|ts
lhere are several reasons why a user's pro6le settings might revert to default.
lf the user pro6le location is not blank in the windows pane of workgroup Vanager,
the default share point for user pro6les is not used. ln this case, the user pro6le
location must specify a valid SVb share point. Vake sure the user pro6le location
speci6es an existing share point.
For more information, see Setting Up an SMB Share Point on page 130.
Vake sure the home folder is speci6ed correctly in the windows and lome panes
of workgroup Vanager. lhese panes should be con6gured in one of the following
ways:
If the home folder path in the Windows pane is blank, make sure the correct home
folder location is selected in the Home pane.
If the home folder path is not blank in the Windows pane, make sure the home
folder path speci6es a valid SVb share point.
lf the drive letter chosen for the user conicts with a drive letter in use on the
Windows workstation, change the drive letter setting in the Windows pane
of Workgroup Manager or change the mappings of other drive letters on the
workstation.
If a Windows User Loses the Contents of the My Documents Folder
Verify the following:
Make sure the correct home folder location is selected in the Home pane of
Workgroup Manager.
Vake sure the user pro6le path is correct in the windows pane of workgroup
Vanager. lf the user pro6le path is blank, the default pro6le folder is used.
lhe contents of Vy 0ocuments are stored in the user pro6le.
lf the drive letter chosen for the user conicts with a drive letter in use on the
Windows workstation, change the drive letter setting in the Windows pane
of Workgroup Manager or change the mappings of other drive letters on the
workstation.
Solving Preference Management Problems
This section describes problems you might encounter while using Workgroup Manager
to set up accounts or manage Mac OS X clients. It also provides troubleshooting tips
and possible solutions.
If your problem is not addressed here, check Workgroup Manager Help or consult the
Apple Service & Support website (www.apple.com/support/).
Testing Your Managed Client Settings
If your managed computers use Mac OS X v10.5 or later, you can view managed
settings in System Pro6ler on the computers.
Settings are organized by preference. For example, all managed Finder settings are
listed in com.apple.6nder.
1o vew managed c|ent settngs n System Proh|er:
1 On a client computer, open System Pro6ler.
2 Open the Software disclosure triangle and then choose Managed Client.
If Users Dont See a List of Workgroups at Login
If a user with a network account doesnt see a list of workgroups at login:
The user might not be in a group or might be in only one group. Hold down the
Option key during login to show the list of workgroups.
The users computer might not have its login preferences managed. In the Access
pane of login preferences, select Always show workgroup dialog during login.
This preference is available for clients with Mac OS X v10.5 or later.
Your client computers must use Mac OS X v10.4 or later to select from workgroups.
For more information about how to set login window access settings, see Customizing
the Workgroups Displayed at Login on page 206.
If Users Cant Open Files
Ordinarily, when users double-click a 6le in the linder or choose a 6le to open from
the lile menu in linder, the related default application opens the 6le for them. lf the
user is in a managed environment, this method might not always work.
lor example, suppose the default application for viewing P0l 6les is Preview. A user
logs in and double-clicks a P0l 6le on his or her desktop. lf the management settings
that apply to the user don't provide access to Preview, the 6le does not open. lf the
user has access to a di1erent application that can handle P0l 6les, the user can open
that application 6rst and then open the 6le.
To make sure commonly used applications are available to users, groups, or lists of
computers, use Workgroup Manager to add the application to the list of permitted
applications in the Applications pane of Preferences.
For more information, see Controlling User Access to Speci6c Applications and
If Users Cant Add Printers to a Printer List
If you manage Printing preferences, you can allow users to add printers to the list of
printers in Print & Fax System Preferences. In Printing preferences, select Allow user to
modify the printer list. If you dont select this, an administrator name and password is
required to add or remove printers in Print & Fax System Preferences.
Note: When a user tries to print a document from an application, the printer the user
added does not appear in the list of available printers. For more information, see
Preventing Users from Modifying the Printer List on page 236.
ou can also make printers available or unavailable to speci6c users, groups, or lists of
computers by using the Printer List pane of Printing preferences. For more information,
see Making Printers Available to Users on page 236.
If Login Items Added by a User Dont Open
In Workgroup Manager, you can use the Items pane of login preferences to specify
items that open when a user logs in. The items that open at login are a combination of
items speci6ed for the user, the computer being used, and the group chosen at login.
If your management frequency setting is Always, when you select User may add and
remove additional items, a user can add additional login items. Selecting Always
removes existing items from the users login items list and replaces them with the
items you list. It also prevents the user from disabling the items you list.
If your management frequency setting is Once, you can select Merge with users
items, which causes one of the following:
If the user has items in their login list (because he or she added them or they were
added through preference management), merging only opens login items that
appear on both the users list and your list.
If the users login list does not include any items, all managed login items will open.
If you do not select Merge with users items, all login items on either list will open.
If you select Once, a user can remove any items added to their login list.
For details about managing automatically opened items, see Automatically Opening
Items After a User Logs In on page 211.
If Items Placed in the Dock by a User Are Missing
In Workgroup Manager, you can use the Dock Items pane of Dock preferences to
specify items that appear in a users Dock. The set of items in a users Dock is a
combination of items speci6ed for the user, the computer being used, and the group
chosen at login.
If you deselect Merge with users Dock, all Dock items you place will override users
Dock items settings. Users cant add items to their Docks if you select Always and
deselect Merge with users Dock.
If you select Always, users cant remove items from their Docks.
For more information about how to add Dock items, see Adding Items to a Users
Dock on page 188.
If a Users Dock Has Duplicate Items
When you use Workgroup Manager to set up the same Dock item preferences for
more than one account type (user, group, computer, or computer group), a managed
users Dock can contain duplicate items. For example, an application icon might
appear more than once in the users Dock.
Duplicate applications or folders work as expected when you open them. To correct
duplicate Dock items, try removing Dock item preferences for all account types
that a1ect the user, then carefully con6gure the 0ock item preferences for the
account types.
If Users See a Question Mark in the Dock
You can use Workgroup Manager to control the items a user sees in his or her Dock.
Items in the Dock are aliases to original items stored elsewhere, such as on the
computers hard disk or on a remote server.
If you add items to a users Dock that are not on the users hard disk or other volume
mounted on the users computer, the items appear as question mark icons. Clicking
these icons does not open the items.
If you add an item that is on the server and the users computer, clicking the icon
opens the item on the users computer or mounted volume.
If Users See a Message About an Unexpected Error
When you manage Classic preferences and try to use the Extensions Manager, File
Sharing, or Software Update control panels, you might see a message that says The
operation could not be completed. An unexpected error occurred (error code 1016).
This message indicates that an administrator has restricted access to the item the user
attempted to use, such as an application the user is not allowed to open.
Users cant access the control panels mentioned above when Classic preferences are
managed.
Users might also see this message if you select Hide Chooser and Network Browser
and they attempt to use the Chooser.
The message also appears when a user tries to open an unapproved application (one
not listed in the Items pane of the Applications preference in Workgroup Manager) in
the Classic environment or in Mac OS X.
If You Cant Manage Network Views
Mac OS X Server v10.5 and later dont support managed network views.
To manage network views hosted on servers running Mac OS X Server v10.4, use the
version of Workgroup Manager included with Mac OS X Server v10.4.
273
Use Workgroup Manager to import and export accounts, or
use the dsimport command-line tool to import accounts.
You can quickly import or export user, group, computer, and computer group accounts
using Workgroup Manager. You can also use the dsimport command-line tool to
import user and group accounts.
Understanding What You Can Import and Export
You can import all record types that are tracked in Workgroup Manager. Common
record types include users, groups, computers, and computer groups. Starting with
Mac OS X Server v10.4, you can import partial attributes of individual records, and
combine attributes from di1erent records.
when importing from custom 6les, the only attribute a record must have is a record
name.
For a list of attributes, open Terminal and enter man DirectoryServiceAttributes.
Alternately, if you have Xcode installed, you can view a list of attributes
with improved formatting and more detailed descriptions by opening
/System/Library/Frameworks/DirectoryService.framework/Headers/DirServicesConst.h.
ou can't use an import 6le to change the following prede6ned users. daemon, root,
nobody, unknown, or www. ln addition, you can't use an import 6le to change the
following prede6ned groups. admin, bin, daemon, dialer, mail, network, nobody,
nogroup, operator, sta1, sys, tty unknown, utmp, uucp, wheel, or www. lowever,
you can add users to the wheel and admin groups.
You can use the dsimport tool to import records from a text-delimited 6le.
For descriptions of common record types and attributes, see Open
Directory Administration. For a more complete list of attributes, enter man
DirectoryServiceAttributes, or view the 0irServicesConst.h 6le.
A
p
p
e
n
d
i
x
Importing and Exporting Account
Information
274 Appendix Importing and Exporting Account Information
Limitations for Importing and Exporting Passwords
When creating or overwriting records, you must reset passwords for user accounts
with Open Directory or shadow passwords. Importing passwords generally works if the
password is a plain-text string in the import 6le.
Additionally, you must set the AuthMethod attribute so Workgroup Manager can
import the password. You cant recover encrypted passwords in hash format in the
import 6le.
You cant export passwords using Workgroup Manager or any other method. If you
import user accounts from an export 6le, remember to manually set passwords or set
default passwords to a known value.
Before exporting user accounts (or after importing them), you can set up a password
policy that requires users to change their password at 6rst login. lor instructions on
con6guring password options, see "Choosing a Password Type and Setting Password
Options on page 78.
Maintaining GUIDs When Importing from Earlier Versions of
Mac OS X Server
Clobally unique identi6ers (CUl0s) are used to verify user and group identity for ACl
permissions and to manage user membership in groups and hierarchical groups. When
you use Workgroup Manager or the dsimport tool to import users and groups created
on versions of Mac OS X Server earlier than v10.4, GUIDs are automatically assigned.
After upgrading or migrating your server to Mac OS X Server v10.6, back up your
accounts by exporting user and group accounts to ensure that all your accounts have
GUIDs.
lf you need to restore user or group accounts in the future, the generated export 6le
enables you to import users and groups with their CUl0s (as well as 6le permissions
and group memberships) intact.
If you lose user accounts and you then create new accounts with the same UID, GID,
and short names as the lost accounts, the replacement accounts have new GUIDs
assigned. A users new GUID wont match the previous GUID, so the user wont retain
prior ACL permissions or group memberships.
Similarly, if you import users or groups from a 6le that doesn't include the CUl0
attribute, Mac OS X Server assigns new GUIDs to every imported user and group.
lo make sure that CUl0s and their relationship to speci6c users and groups remain the
same if you need to reimport users and groups, create an export 6le using Vac OS \
Server v10.6 and use this 6le instead of the export 6le created with an earlier server
version.
Appendix Importing and Exporting Account Information 275
Archiving the Open Directory Master
Instead of exporting and importing records as a backup of directory data, you can
archive and restore the Open Directory masters directory and authentication data.
By archiving a copy of the Open Directory masters directory, you can later restore the
directory with passwords intact.
Using Workgroup Manager to Import Accounts
You can use Workgroup Manager to import user, group, computer, and computer
group accounts into an Open 0irectory domain. when a 6le is imported, workgroup
Vanager identi6es the record format.
Before trying to import accounts using Workgroup Manager, create a character-
delimited or \Vl 6le containing the accounts to import and place it in a location
accessible by the computer from which you use Workgroup Manager.
An Open 0irectory domain supports 6les with up to 200,000 records.
Important: workgroup Vanager can only import 6les that use Ull\ line breaks.
when editing import 6les, use a text editor that supports Ull\ line breaks.
You can also use the dsimport tool to import records from a text-delimited 6le. lor
more information, see Using the Command Line to Import Accounts on page 276.
lor information about how to create a character-delimited 6le by hand or by using a
database or spreadsheet application, see Creating a Character-Delimited User Import
File on page 278.
To import accounts using Workgroup Manager:
3 Click the globe icon and choose the domain where you want to import accounts.
administrator.
5 Choose Server > lmport and select an import 6le.
6 To indicate what to do when the short name of an account being imported matches
that of an existing account, select one of the following Duplicate Handling options:
Overwrite existing record overwrites any existing record in the directory domain.
"lgnore new record' ignores an account in the import 6le.
"Add to empty 6elds' merges data from the import 6le into the existing account
when the data is for an attribute that has no value.
"Append to existing record' appends data to existing data for a speci6c multivalue
attribute in the existing account. Duplicates are not created. You can use this option
when importing members into an existing group.
Dont check for duplicates disables checking for duplicates, but it can cause
miscon6gured records and unexpected results. Vake sure there are no duplicates
before choosing this option. When you enable this option, it can decrease the time
required to import.
7 To enable presets for a user or a group, select Preset for Users or Preset for Groups and
choose presets from the two pop-up menus.
lf a setting is speci6ed in the preset and an import 6le, the value in the import 6le is
used. lf a setting is speci6ed in the preset but not in the import 6le, the value in the
preset is used.
For more information about how to create presets, see Creating a Preset for User
Accounts on page 63 and Creating a Preset for Group Accounts on page 98.
8 ln the lirst User l0 6eld, enter a user l0 for new user accounts without user l0s in the
import 6le.
New User IDs are then sequentially assigned for other accounts without listed user IDs.
9 ln the Primary Croup l0 6eld, enter the group l0 to assign to new user accounts for
users that have no primary group l0 in the import 6le.
10 Choose the level of detail for the log from the Logging Detail pop-up menu.
Every time you import, a new log is created in ~/Library/Logs/ImportExport/.
11 Click Import.
Using the Command Line to Import Accounts
To import user and group accounts into a folder, use dsimport. The dsimport tool
permits logging at three levels with the -l switch. You can also use the dsimport tool
to import records from a exible text-delimited 6le.
For more information, see the dsimport man page. For a list of record types and
attributes, see Open Directory Administration. This also describes how to edit permitted
attributes for each record type for use in an LDAP folder.
The dsimport tool is located in /usr/bin/.
lor information about the formats of the 6les you can import, see "Creating a
Character-Delimited User Import File on page 278.
$ dsimport (-g|-s|-p) filepath DSNodePath (O|M|I|A|N) -u user -p password
[options]
-g|-s|-p Specify one of these to indicate the type of 6le
youre importing:
-g for a character-delimited 6le
-s for an \Vl 6le exported from Users 8 Croups
in Mac OS X Server v10.1.x
-p for an \Vl 6le exported from AppleShare lP
v6.x
filepath Specify the path of the 6le to import.
DSNodePath Specify the path to the Open Directory server
node where the imported records will be added.
O|M|I|A|N Use to specify how user data is handled if a
record for an imported user exists in the folder:
O: Overwrite the matching record.
M: Merge the records. Empty attributes in the
folder and assume values from the imported
record.
I: Ignore imported record and leave the record
unchanged.
A: Append data from an import record to an
existing record.
N: Do not check for duplicates.
user Specify the name of the Open Directory directory
administrator.
password Specify the password of the Open Directory
directory administrator.
options Use to specify additional command options. To
see available options, execute the dsimport
command with no parameters.
To import users and groups:
1 Create a 6le containing the accounts to import, and place it in a location accessible
from the importing server.
ou can export this 6le from an earlier version of Vac OS \ Server or AppleShare lP 6.3,
or you can create a character-delimited 6le. See "Creating a Character-Delimited User
Import File on page 278.
Open Directory supports up to 200,000 records.
2 Log in as the administrator of the directory domain you want to import accounts into.
3 Use the dsimport tool to import users and groups.
lor example, to import a 6le generated by workgroup Vanager named "sample' and
export it into the LDAPv3 directory located at 192.168.2.2, use the following command:
$ dsimport -g sample /LDAPv3/192.168.2.2 -O -u diradmin
Replace diradmin with the short name of the directory administrator. When two
records match, the import 6le overwrites the matching record.
4 To create home folders for imported users, use createhomedir.
See Con6guring Portable Computers on page 152.
Creating a Character-Delimited User Import File
ou can create a character-delimited 6le by using workgroup Vanager or dsimport
to export accounts in the LDAP directory of an Open Directory master. You can also
create a character-delimited 6le manually by using a script, or by using a database or
spreadsheet application.
lhe 6rst record in the 6le, the record description, describes the format of each account
record in the 6le. lhere are three options for the record description.
Write a full record description
Use the shorthand StandardUserRecord
Use the shorthand StandardGroupRecord
lhe other records in the 6le describe user or group accounts, encoded in the format
described by the record description. A line in a character-delimited 6le that begins
with # is ignored during importing.
Writing a Record Description
lhe record description speci6es the 6elds in each record in the character-delimited 6le,
speci6es the delimiting characters, and speci6es the escape character that precedes
special characters in a record.
lncode the record description using the following elements in the order speci6ed,
separating them with a space:
End-of-record indicator (in hex notation)
Escape character (in hex notation)
Field separator (in hex notation)
Value separator (in hex notation)
lype of accounts in the 6le ( dsRecTypeStandard:Users or
dsRecTypeStandard:Groups)
Number of attributes in each account record
List of attributes
For user accounts, the list of attributes must include the following, although you can
omit UID and PrimaryGroupID if you specify a starting UID and a default primary group
l0 when you import the 6le.
RecordName (the users short name)
Password
UniqueID (the UID)
PrimaryGroupID
RealName (the users full name)
In addition, you can include:
UserShell (the default shell)
NFSHomeDirectory (the path to the users home folder)
Other user data types, described in Open Directory Administration.
For group accounts, the list of attributes must include:
RecordName (the group name)
PrimaryGroupID (the group ID)
GroupMembership
The following is an example of a record description:
0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 7
RecordName Password UniqueID PrimaryGroupID
RealName NFSHomeDirectory UserShell
The following is an example of a record encoded using the previous description:
anne:Adl47E$:408:20:A. Johnsons, M.D.:/Network/Servers/somemac/Homes/
anne:/bin/csh
The record consists of values, delimited by colons. Use a double-colon (::) to indicate
that a value is missing.
The following is another example, which shows a record description and user records
for users whose passwords are to be validated using Password Server. The record
description should include a 6eld named dsAttrTypeStandard:AuthMethod, and the
value of this 6eld for each record should be dsAuthMethodStandard:dsAuthClearText:
dsAttrTypeStandard:RecordName dsAttrTypeStandard:AuthMethod
dsAttrTypeStandard:Password dsAttrTypeStandard:UniqueID
dsAttrTypeStandard:PrimaryGroupID dsAttrTypeStandard:Comment
dsAttrTypeStandard:RealName dsAttrTypeStandard:UserShell
skater:dsAuthMethodStandard\:dsAuthClearText:pword1:374:11:comment:
Tony Hawk:/bin/csh
mattm:dsAuthMethodStandard\:dsAuthClearText:pword2:453:161::
Matt Mitchell:/bin/tcsh
As these examples illustrate, you can use the pre6x dsAttrTypeStandard: when
referring to an attribute, or you can omit the pre6x. when you use workgroup Vanager
to export character-delimited 6les, it uses the pre6x in the generated 6le.
When importing user passwords, you can insert the following in the list of attributes to
set the users password type to Open Directory:
dsAttrTypeStandard:AuthMethod
lhen, insert the following in the formatted record (in this example, the user 's
password is password):
dsAuthMethodStandard\:dsAuthClearText:password
Note: ln this example, the colon (.) is the 6eld separator. because there is a colon in the
description for this attribute, the escape character must be used to indicate that the
colon should not be treated as a delimiter. The backslash (\) is the escape character
in this example. lf the 6eld separator is anything other than the colon, the escape
character is not needed.
The method for setting an imported users password type to Open Directory requires
that the imported data has a password value. If the password value is missing for
a user, the corresponding user record is created with a password type of Crypt or
Shadow Password.
Before importing user accounts, remember to manually set passwords or set default
passwords to a known value. After importing user records, you can set up a password
policy that requires users to change their password at 6rst login.
Note: Importing passwords generally works only if the password is a plain text string
in the import 6le. Additionally, you need to set the AuthVethod attribute so that
dsimport can import the password. Encrypted passwords that are in hash format
in the import 6le cannot be recovered. Also, passwords cannot be exported using
Workgroup Manager or any other method.
Using StandardUserRecord Shorthand
when the 6rst record in a character-delimited import 6le contains
StandardUserRecord, the following record description is assumed:
RecordName Password UniqueID PrimaryGroupID
RealName NFSHomeDirectory UserShell
An example user account looks like this:
anne:Adl47E$:408:20:A. Lo, M.D.:/Network/Servers/somemac/Homes/anne:/bin/
csh
Using StandardGroupRecord Shorthand
when the 6rst record in a character-delimited import 6le contains
StandardGroupRecord, the following record description is assumed:
0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Groups 4
RecordName Password PrimaryGroupID GroupMembership
The following is an example of a record encoded using the description:
students:Ad147:88:johnson,miller,clark,chen,wong
Using Workgroup Manager to Export Accounts
You can use Workgroup Manager to export user, group, computer, and computer
group accounts from an Open 0irectory domain into a character-delimited 6le that
you can import into a di1erent l0AP directory domain.
You can also use the dsexport tool to export records to a text-delimited 6le. lor more
information, see Using the Command Line to Export Users and Groups on page 282.
To export accounts using Workgroup Manager:
2 Make sure that the directory services of the Mac OS X Server youre using are
con6gured to access the desired directory domain.
3 Click the globe icon and then choose the domain where you want to import accounts.
administrator.
5 Select the accounts to export.
To choose multiple accounts to export, select the accounts while holding the
Command or Shift key.
6 Choose Server > Export.
7 Specify the name to assign to the export 6le and where you want to create it.
lo browse to a location for storing the export 6le, click the disclosure triangle.
8 Click Export.
Using the Command Line to Export Users and Groups
To export records from Open Directory use dsexport.
The dsexport tool is in the /usr/bin/ folder.
$ dsexport filePath DSNodePath recordType options DSProxy
filepath lhe name (including the path) of the 6le to
export.
DSNodePath The path to the Open Directory server node to
export records from.
recordType (Optional) The type of record to be exported
from the Open Directory server node.
options Additional command options. To see available
options, execute the dsexport command with
no parameters. Also, see the commands man
page.
DSProxy (Optional) A set of options for connecting to a
proxy system. All options are needed. If you do
not specify the password as an argument, the
tool prompts you for it. Options are:
-a proxyAddress: The address of the proxy
machine the user wants to use.
-u proxyUser: The username to use for the
proxy connection.
-p proxyPassword: The password to use for
the proxy connection.
For example, use the following to export user records from the local Open Directory
server node and store the exported data in the exportedUserRecords.out 6le.
$ dsexport exportedUserRecords.out /Local/Default dsRecTypeStandard:Users
Use the following to export group records for admin and sta1 from the l0APv3 node
on the proxy system (proxy.machine.com) to the exportedCroupRecords.out 6le.
$ dsexport exportedGroupRecords.out /LDAPv3/127.0.0.1
dsRecTypeStandard:Groups -r admin, staff -a proxy.machine.com -u
diradmin -p pass
Using XML Files Created with Mac OS X Server v10.1 or Earlier
ou can use Server Admin in Vac OS \ Server v10.1 or earlier to create an export 6le
and import that 6le into an Open 0irectory domain using workgroup Vanager or
dsimport.
lhe following user account attributes are exported into the \Vl 6les. An error occurs
when you import a 6le with missing required attributes.
Indication of whether user can log in
Indication of whether user is a server administrator
User ID (required)
Primary group ID (required)
Shell
Comment
Short name (required)
Long name (required)
Password format (required) and password text (required)
Apple mail data
ARA (Apple Remote Accessthis data is ignored)
lhe following group account attributes might be present in \Vl 6les.
Group name (required)
Group ID (required)
One members short name (required)
Other members short names
Using XML Files Created with AppleShare IP 6.3
You can use the Web & File Admin application on an AppleShare IP 6.3 server to create
an export 6le and then use workgroup Vanager or dsimport to import that 6le into an
Open Directory domain.
lhe following user account attributes are exported into the \Vl 6les. An error occurs
when you import a 6le with missing required attributes.
Name (required, mapped to a long name)
InetAlias (mapped to a short name)
Comment
Indication of whether user can log in
Password format (required) and password text (required)
Apple mail data
An indicator for whether the user is a server administrator; the password change
data; and an indicator for forcing a password to change (this data is ignored)
The dsimport tool generates user l0s when you import this \Vl 6le, using the -s
parameter to determine the user ID to start with and incrementing each subsequent
imported accounts user ID by one. It generates primary group IDs using the -r
parameter.
When you import using Workgroup Manager, user IDs and primary group IDs are
generated as you indicate in the dialog provided.
lhe following group account attributes might be present in these \Vl 6les.
Group name (required)
One members short name (required)
Other members short names
The dsimport tool generates group l0s when you import this \Vl 6le, using the -r
parameter to determine the group ID to start with, and incrementing each subsequent
imported groups ID by one.
When you import using Workgroup Manager, group IDs are generated using the
information you provide for group IDs in the import dialog.
A
access
ACLs 27, 28
Apple menu 184, 199
application 160, 165, 176, 177, 180, 188
control process 27, 30
disk 195, 197, 214
6le 27, 270
folder 27, 36, 37, 165, 199, 267
group 28, 114, 165, 213
guest 128
login 205, 207, 213
media 161, 198, 213, 214, 215
mobile account 146, 147, 148
preferences 160
printing 86, 87, 88, 235, 236, 237, 238
server 195, 197
share point 128, 213
user 22, 23, 74
website 106, 232, 233
Windows users 28
workgroup 206, 269
Workgroup Manager 22
See also LDAP, permissions, Universal Access
access control entries. See ACEs
access control lists. See ACLs
accounts
administrator 21, 22, 39, 52, 144, 154
backing up 274
creating 53
directory domains 43, 44, 45
editing 48, 264
6nding 43
lists of 43, 44, 45, 46
overview 21
prede6ned 52, 94, 273
preferences 151
types 52
See also computer accounts, group accounts,
importing, mobile accounts, user
accounts
ACEs (access control entries) 27, 28
ACLs (access control lists) 27, 28
Active Directory 28, 33, 36, 53, 144
addresses. See Ethernet ID, IP addresses
admin group 22
administrator
accounts for 21, 22, 39, 52, 144, 154
directory services 22
domain 37, 75
groups for 94, 96
mobile accounts 144
passwords for 37
privileges of 22, 37, 71, 73, 74, 265
server 71
setup 37, 38, 39
system 52
administrator computer 30, 38, 106
adult websites, access control 232
AFP (Apple Filing Protocol) service 125, 128, 134
AirPort base station 231
Always setting for preferences 171
anonymous users. See guest accounts
Apple Filing Protocol service. See AFP
Apple menu, Classic 184, 199
Apple Remote Desktop 261, 263
AppleShare IP migration utility 284
applications
access control 160, 165, 176, 177, 188
legacy access 180
preference editor 247, 248, 249, 251
See also speci6c applications
archiving, Open Directory master 275
ARD. See Apple Remote Desktop
assistive devices 243, 244, 245, 246
attributes, types of 273
augmented records 13, 51, 57
authentication
directory domains 30, 40
imported accounts 274, 275
Kerberos 267
mobile accounts 143
overview 25, 51
troubleshooting 264, 265, 267
See also login, passwords
automountable share points 128, 129, 134, 136
Index
285
I
n
d
e
x
286 Index
B
background synchronization 151, 226
backup
account 274
Time Machine 161, 168, 241
vs. synchronization 151
backup domain controller. See BDC
batch editing 48
batteries 193
BDC (backup domain controller) 52, 54, 125, 268
blog service, troubleshooting 267
Bluetooth 231
boot process. See startup
browsers, Safari 253
bundle IDs 176
Burn Disc command 198
C
calendar service. See iCal service
CDs, preferences 213, 214, 215
child groups 24, 171
Classic preferences
Apple menu access 184, 199
overview 160
restart options 183
sleep settings 185
startup options 182
System Folder 181, 182
user preferences location 185
client computers 31
clients
customizing for 160, 161, 163, 164
home folder hosting 125
management of 158
mobile 156
network-visible resources 159
preferences overview 160
testing settings for 269
workow improvement 164
See also group accounts, users
combined managed preferences 168, 171
command-line tools
domain name lookup 263
exporting 281, 282
folders 113
group accounts 96, 98, 99, 103, 107, 109
home folders 133
importing 273, 276, 278
managing preferences 255
overview 21
sharing 129
ssh access 113, 261
user accounts 39, 55, 59, 61, 62, 68, 70, 71, 72, 76
comments on user accounts 80
computer accounts
creating 116
guest 25, 117
mobile 153
overview 25, 115
preferences 168, 174
Windows computers 118
Workgroup Manager layout 160
computer groups
adding to 121
creating 119
deleting 122
editing 48
mobile 154
overview 25, 118
preferences 169, 170, 175
presets 48, 120, 121
removing computers 122
upgrading from lists 123
vs. computer lists 118
Workgroup Manager layout 160
computer lists 118, 123
computer name 115, 205
computers
administrator 30, 38, 106
client 31
guest 25, 117
hierarchical groups 119
view settings 200
See also portable computers
con6guration
administrator 37, 38, 39
domains 29, 40
earlier Mac OS X versions 40
home folders 34, 35, 36, 84
login options 204
mobile accounts 149
overview 29
portable computers 152
Server Admin 20
Server Preferences 21
share points 127
users 29
controllers
BDC 52, 54, 125, 268
PDC 52, 54, 125, 267, 268
core services bundle 251
CreateGroupFolder tool 113
createhomedir tool 133
crypt passwords 78, 266, 267
curfews on computer use 235
D
Dashboard 177, 179
Default View settings 200
desktop view 199
Details pane 160
Index 287
0lCP (0ynamic lost Con6guration Protocol)
service 208, 262, 263
Dictionary, hiding profanity in 232
dig tool 263
digital signatures 176, 177
directories. See directory services, domains, folders
directory domain administrator 37, 75
directory services
administrators for 22
preferences 172
requirements 33
See also domains, Open Directory
Directory Utility 208
disk images 159, 214
disks
access control 195, 197, 214
ejecting 198
quotas 34, 85, 139, 140, 141, 219
storage requirements 33
target disk mode 146
display settings 242
DNS (Domain Name System) service 42, 262, 263
Dock 160, 186, 187, 188, 189, 271, 272
documentation 16, 17, 18
Domain Name System. See DNS
domains, directory
administration of 22, 36, 37, 75
connections 40
control over 73
group accounts 94
guest computers 117
home folder storage 126
local 33, 43, 44, 54, 133
login 267
mobile accounts 144
proxy server settings 228, 229
purpose of 26
read-only 59
search policies 44
security 30, 40
setup 29, 40
shared 29, 267
user accounts in 43, 44, 45, 53, 58
See also LDAP, Open Directory
drives. See disks
drop boxes 140
dscl tool 39, 55, 59, 61, 255
dseditgroup tool 100, 103
dsexport tool 281, 282
dsimport tool 273, 276, 278
duplication of settings. See presets
DVDs, preferences 213, 214, 215
E
Energy Saver
desktop settings 190
management limitations 168
overview 161, 189
portable settings 191, 193
scheduling computer activity 193
sleep and wake settings 190
error messages 272
See also troubleshooting
Ethernet ID 115
Everyone user category 27, 60
exporting
accounts 50, 281
groups 281, 282
overview 273
passwords 274
users 281, 282
\Vl 6les 283, 284
See also importing
eXtensible Markup Language. See XML
external accounts
advantages of 222
de6nition 35
drive type support for 14
enabling 205
local home folder 147
login appearance 146
vs. local accounts 156
F
fast user switching 204
6le name extensions, visibility of 197
6le services
AFP 125, 128, 134
FTP 230
NFS 83, 125, 129, 134
See also share points
6le sharing, portable computers 154
6les
accessing 27, 270
caching of 144, 148
exporting XML 283, 284
extensions for 197
importing XML 283, 284
inheritance of permissions 99
FileVault 156, 219
Finder
desktop view 199
disc burning access 198
disk access 195, 197
ejecting disks 198
6le name extensions 197
folder access 199
overview 161, 194
288 Index
remote server access 197
restart control 199
server access 195
shutdown control 199
Simple Finder 194
Trash alert message 196
window behavior 195, 196, 200
6nding users and groups 42, 46, 47, 79, 94
folders
accessing 27, 36, 37, 165, 199, 267
client setup 125, 159
command-line tools 113
My Applications 188
synchronization of 224, 226
System 181, 182
See also group folders, home folders
Front Row 177, 179
FTP (File Transfer Protocol) service 230
full name. See long name
G
GID (group ID) 27, 81, 104
globally unique identi6er. See GUID
group accounts
command-line tools 96, 98, 99, 103, 107, 109
creating 96, 99
deleting 103
editing 48, 98
exporting 281, 282
6nding 94
group ID 27, 104
importing 275
login picture 105
member settings 93, 107
naming 68, 103
Open Directory 94
overview 24, 93
prede6ned 94, 273
presets 48, 98
read-only 102
search policies 106
web service 106
Windows 94, 107
See also groups
group folders
access control 165
de6nition 24, 159
preferences 187
server requirements 34
settings 111, 112, 114
share points 111, 213
Windows users 111
group ID. See GID
groups
access control 28, 114, 165, 213
adding users 83, 107
admin group 22
administrator 94, 96
basic settings 103
6nding 47
folder settings 111, 112, 114
hierarchical 24, 99, 102, 107, 119, 170
importing 278, 280, 281
legacy 102
membership 81, 82, 83
naming 103
permissions 81, 96
preferences 169, 173
primary 28, 81, 93
removing users 83, 109
sorting 47
See also computer groups
Groups folder 112
guest accounts
AFP access 128
creating 60
de6nition 23
login options 205
mobile 153
permissions 60
share point access 128
guest computers 25, 117
CUl0 (globally unique identi6er) 27, 28, 68, 92, 144,
274
H
help, using 15
helper applications 180
hierarchical groups
computers 119
preferences management 170
users 24, 99, 102, 107
home folders
creating 133
customizing 136
default 142
deleting 142
disk quotas for 140, 141
distributing across servers 126
Dock preferences 188
hosting for clients 125
local user 34, 35, 133
login controls 212
management of 132
mobile accounts 35, 132, 144, 145, 146, 147, 150,
164, 216, 218, 219, 221
moving 142
naming 66, 125, 140
network 34, 35, 125, 134, 159, 212
no home folder status 132
overview 124
portable home directories 35, 144
Index 289
presets 142
securing 156, 219
server requirements 34, 35
setup 34, 35, 36, 84
share points 30, 84, 126, 127, 128, 129, 131, 134, 136
synchronization 164
users 34, 35, 36, 91, 92, 164
Windows users 91, 92, 125, 131, 138, 141
hosts. See servers
hybrid computer groups 118
I
iCal service 76
iDisk 197
images, disk. See disk images, NetBoot, NetInstall
importing
accounts 50, 71
authentication 274, 275
command-line tools 273, 276, 278
groups 275
GUID maintenance 274
overview 273
passwords 71, 274
users 275, 278
\Vl 6les 283, 284
See also exporting
importing users and groups 278, 280, 281
Info settings 89
inheritance, 6le permission 99
inherited preferences 169
install images. See NetInstall
Internet sharing 230
IP addresses 263
K
Kerberos 267
keyboard preferences 244
keywords 79, 80
killall tool 62
L
LDAP (Lightweight Directory Access Protocol)
service
creating accounts 51, 53
domain privileges 73, 75
identifying directories 33
password types 78
troubleshooting 264
Legacy preferences 177, 180
limited administrator privileges 37, 74
local directory domain 33, 43, 44, 54, 133
local home folder 34, 35, 133
local mobile accounts 148, 154
login
automatic 204
con6guration 204
directory domain 267
frequently used items 211
group share point access 213
home folders 212
management limitations 168
mobile accounts 145, 146, 147, 152, 212, 216
passwords 26, 78
picture for user 72, 105
preferences overview 161, 201
process of 25
scripts 208, 210
window appearance 202
workgroup access 206
long name 65, 103
See also short name, user names
M
MAC address 115
Mac OS 9 181, 182, 184, 199
Mac OS X Server
hierarchical groups 99, 102
hybrid computer groups 118
importing from earlier versions 274, 283
working with earlier versions 40, 93
mail service 61, 84, 85
managed client 23
managed client extensions. See MCX
managed computer 168, 269
managed preferences
Applications 160
caching 172
combined 168, 171
command-line tools 255
Dashboard 177, 179
desktop 199
disabling 175
Dock 160, 186, 187, 188, 189
editing 49, 247, 248, 249, 251, 253
Front Row 177, 179
group folders 187
hierarchy 170
introduction 160
Legacy 177, 180
login 201
Media Access 161, 213, 214, 215
Network 161, 228, 229, 230, 231
overriding 168
overview 166
Parental Controls 161, 232, 233, 235
permanence settings 171
refreshing user 260
290 Index
Software Update 161, 239
System Preferences 161, 195, 240
See also Classic preferences, Energy Saver, Finder,
print service, Universal Access
managed preferences, working with 259
managed user 23, 168
manifests, preference 247, 251
master password 219
MCX extensions 255
media access control. See Ethernet ID
Media Access preferences 161, 213, 214, 215
media, streaming. See streaming media
mixed-state preference settings 49
mobile accounts
accessing 146, 147, 148
account status menu 227
administrator 144
advantages 148
blocking creation of 218
creating 216
deployment 148
directory domains 144
disadvantages 150
disk quotas 140
expiration periods 224
external accounts 146, 147, 156, 222
6le server optimization 157
home folders 35, 132, 144, 145, 146, 147, 150, 164,
216, 218, 219, 221
local 148, 154
login 145, 146, 147, 152, 212, 216
overview 143
preferences overview 161, 164, 215
removing 218
security 143, 156, 219
setup 152
synchronization 143, 146, 148, 150, 151, 224, 226
wireless considerations 155
See also portable computers
mouse preferences 245
multiple-account editing 48
My Applications folder 188
MySQL Server account 52
N
name server 42, 262, 263
naming conventions
computer name 115, 205
group accounts 68, 103
guest computers 117
home folders 66, 125, 140
presets 64
user names 65, 66, 67, 68, 69
net tool 69
NetBios name 115
NetBoot service 159
NetInstall 159
Network File System. See NFS
network home folders 34, 35, 125, 134, 159, 188, 212
network services
DHCP 208, 262, 263
DNS 42, 262
IP addresses 263
VPN 151
network users 29, 148
networks
preferences 161, 228, 229, 230, 231
time and time zones 261
views troubleshooting 272
wired vs. wireless mobile 155
Never setting for preferences 171
NFS (Network File System) 83, 125, 129, 134
nodes, directory. See domains, directory
O
Often setting for preferences 172
Once setting for preferences 171, 175
Open Directory
blog control 267
creating accounts 53
group accounts 94
modifying accounts 58
passwords 78, 266
requirements 33
wiki control 267
See also Active Directory, domains
Open Directory master 275
Open Directory Password Server 266
opportunistic locking (oplocks) 131
Overview pane 160
Owner user category 27
P
parent groups 24, 99, 171
Parental Controls 161, 232, 233, 235
passive FTP mode 230
passwd tool 57
Password Server. See Open Directory Password
Server
passwords
administrator 37
assigning 70
crypt 78, 266, 267
FileVault 219
hints 204
imported accounts 71, 274
importing 280
login process 26, 78
Open Directory 78, 266
Index 291
shadow 78
troubleshooting 264, 265, 266, 267
types 78
PDC (primary domain controller) 52, 54, 125, 267,
268
permissions
access 27, 28
administrator 22, 37, 71, 73, 74, 265
6les 99
group 81, 96
guest 60
inheritance 99
mobile accounts 221
root 37
simultaneous login 77
sshd privilege separation 52
troubleshooting 265
user 73
picture, user login 72, 105
pointer preferences 245
portable computers
directory synchronization 35
Energy Saver settings 191, 193
FileVault 156, 219
guest 153
multiple local accounts 154
multiple users 154
setup 152
See also mobile accounts
ports, proxy server 228
POSIX (Portable Operating System Interface) 27, 28
power settings. See Energy Saver
prede6ned accounts 52, 94, 273
preferences
account 151
appearance 242
assistive devices 243, 244, 245, 246
browser 253
CDs 213, 214, 215
computer accounts 168, 174
computer groups 169, 170, 175
directory services 172
DVDs 213, 214, 215
group 169, 170, 173, 187
inherited 169
keyboard 244
mail 84
manifests 247, 251
mixed-state 49
mouse 245
overview 160, 164
server 21
streaming media 161
user 160, 168, 173, 185
web 253
Workgroup Manager 42, 166, 172
workgroups 163, 170, 207
See also managed preferences
presets
computer groups 48, 120, 121
home folders 142
user accounts 48, 63, 64, 65, 68
primary domain controller. See PDC
primary group, users 28, 81, 93
print service
access control 86, 87, 88, 235, 236, 237, 238
default printer setting 238
footers on printouts 238
overview 161, 235
printer problems 270
privileges, administrator 22, 37, 71, 73, 74, 265
See also permissions
problems. See troubleshooting
profanity, hiding 232
protocols
AFP 125, 128, 134
DHCP 208, 262, 263
FTP 230
SMB 28, 125, 130, 138
See also LDAP
proxy server settings 228, 229
Q
quotas, disk space 34, 85, 139, 140, 141, 219
R
read-only accounts 59, 102
real name. See long name
record descriptions, writing 278
records
augmented 13, 51, 57
remote servers 197, 261, 263
removable media, accessing 198, 213, 214, 215
restart, controlling 183, 199
roaming user pro6les 89, 90, 125, 139, 141
root permissions 37
S
Safari 253
screen display settings 242
search policies 26, 44, 106
searching users and groups 42, 46, 47, 79
security
ACLs 27, 28
directory domains 30, 40
home folders 156, 219
mobile clients 143, 156, 219
SID 28
292 Index
See also access, authentication, passwords,
permissions
security identi6er. See SID
Server Admin 20
server administrator 22
Server Assistant 37
Server Message Block. See SMB
Server Preferences 21
servers
accessing 195, 197
connections 197
group requirements 34
home folders 34, 35, 126
mobile account optimization 157
proxy 228, 229
remote 197, 261, 263
requirements 33
setup procedures. See con6guration
shadow passwords 78
share points
automountable 128, 129, 134, 136
group folders 111, 213
guest access 128
home folders 30, 84, 126, 127, 128, 129, 131, 134,
136
local users 133
mounting 128, 129
setup 127
Windows users 131
shared directory domain 29, 267
See also LDAP
shared 6les. See 6le sharing
sharing tool 129
shell scripts 78
short name 66, 67, 68, 104
shortcuts, command 246
shutdown, controlling 193, 199
Sl0 (Security ldenti6er) 28
Simple Finder 194
simultaneous login privileges 77
single sign-on authentication 267
sleep settings 185, 190, 193
Slow Keys 244
SMB (Server Message Block) protocol service 28,
125, 130, 138
Software Update 161, 239
ssh tool 113, 261
sshd privilege separation 52
standardgrouprecord tool 281
standarduserrecord tool 280
startup 159, 182, 193
Sticky Keys 244
streaming media 161
synchronization
directories 35
home folders 164
mobile account data 143, 146, 148, 150, 151, 224,
226
System Administrator account 52
System Folder, Classic 181, 182
System Preferences 161, 195, 240
System Pro6ler 269
System Services account 53
T
target disk mode 146
temporary 6les, caching of 144, 148
Terminal 78
time and time zone settings 261
time limits on computer use 235
Trash alert message 196
troubleshooting
administrator privileges 265
authentication 267
BDC 268
blog settings 267
DHCP service 263
DNS service 262
Dock items 271, 272
editing accounts 264
error messages 272
6le access 270
home folder access 267, 268, 269
LDAP directory 264
login 264, 265, 271
network views 272
Open Directory 264, 265, 266
passwords 264, 265, 266, 267
PDC 267
printers 270
time and time zones 261
wiki settings 267
Windows user problems 267, 268, 269
workgroup access 269
trust services 208
U
UIDs (user IDs) 27, 52, 69, 72, 92, 176
Universal Access
assistive devices 246
display settings 242
keyboard options 244
mouse options 245
overview 161, 242
shortcuts 246
visual alert 243
UNIX 125, 180
Unknown User account 53
Unprivileged User account 53
updating software 161, 239
Index 293
upgrading, computer lists to computer groups 123
user accounts
advanced settings 76
basic settings 65
calendar settings 77
command-line tools 39, 55, 59, 61, 62, 68, 70, 71,
72, 76
comments 80
creating 53
deleting 61
directory domains 43, 44, 45, 53, 58
disabling 62
editing 48, 58, 59
exporting 281, 282
importing 50, 71, 275
keywords 79, 80
lists 43, 44, 45, 46
local 133
mail settings 84
organization of 25, 26, 51
overview 21, 23
passwords 70, 71
prede6ned 52, 273
preferences 151
presets 48, 63, 64, 65
read-only 59
troubleshooting 264
types 52
user names 65, 66, 67, 68, 69, 264
Windows 51, 60
See also administrator, group accounts, guest
accounts, users
user ID. See UID
user names 65, 66, 67, 68, 69, 264
users
categories 27, 60
customizing for 160
6nding 42, 46, 47, 79
identities 27, 52, 69, 92, 176
importing 278, 280, 281
limited admin control 37, 74
login design 161
mail service 84, 85
managed 168
network 29, 148
overview 51
permissions 73
planning for 32, 33
preferences control 160, 168, 173, 185
primary group for 28, 81, 93
print service 86, 87, 88, 235, 236, 237, 238
remote 197, 261, 263
searching for 42, 46, 47, 79
setup 29
sorting 79
tools overview 19
UIDs 72
workgroup choice 163
See also clients, groups, home folders, user
accounts, Windows users
V
view settings 199, 242, 272
visual preferences 243
VPN (Virtual Private Network) 151
W
wake settings 190, 191, 192
web service
accessing 106, 232, 233
account 53
browser 253
websites, accessing 106, 232, 233
widgets in Dashboard 177, 179
wikis, troubleshooting 267
window behavior 195, 196, 200
Windows users
access control 28
accounts 51
computer accounts 118
creating accounts 54
disk quotas 141
group folders 111
home folders 91, 92, 125, 131, 138, 141
login 91
modifying accounts 61
pro6le location 89, 90
roaming pro6les 89, 90, 125, 139, 141
share points 131
wireless mobile lab 155
access control 22
account lists 43, 44, 45, 46
administrator setup 38, 39
batch editing 48
directory domains 40
earlier Mac OS X versions 40
exporting accounts 50, 281
importing accounts 50, 275
login 40
overview 13, 14, 19
panes 160
presets 48
searching users 46, 47
setup 38
synchronization 151
tasks overview 41
troubleshooting 264, 270
294 Index
See also managed preferences
workgroups
access control 206, 269
de6nition 24, 93, 168
group folders 111
multiple 164
troubleshooting 270
See also Workgroup Manager
X
\Vl (e\tensible Varkup language) 6les 283, 284

User Management v10.6

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

User Management v10.6

Uploaded by

Copyright:

Available Formats

Mac OS X Server

any volume includes volumes on internal or

any internal volume includes volumes on

any external volume includes volumes on

You might also like